Bug 19553

Summary: libgit2 new security issues CVE-2016-856[89]]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, mageia
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703984/
Whiteboard:
Source RPM: libgit2-0.24.1-1.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 19792    
Bug Blocks:    

Description David Walser 2016-10-08 20:45:30 CEST 
CVE has been assigned for two security issues in libgit2:
http://openwall.com/lists/oss-security/2016/10/08/7

Fixes are being prepared upstream.

Mageia 5 is probably also affected.
David Walser 2016-10-08 20:45:43 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-10-19 22:06:03 CEST 
Fedora has issued an advisory for this on October 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/

URL: (none) => http://lwn.net/Vulnerabilities/703984/

Comment 2 David Walser 2017-01-10 15:32:27 CET 
CVEs have been requested for two more security issues in libgit2:
http://openwall.com/lists/oss-security/2017/01/10/5

The commits to fix them are linked in the message above and they are fixed in 0.24.6.

CC: (none) => jani.valimaa

Comment 3 David Walser 2017-01-10 22:19:28 CET 
libgit2-0.24.6-1.mga6 uploaded for Cauldron by Jani, fixing these.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-01-11 11:51:18 CET 
CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned:
http://openwall.com/lists/oss-security/2017/01/11/6

Summary: libgit2 new security issues CVE-2016-8568 and CVE-2016-8569 => libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89]

Comment 5 David Walser 2017-01-15 00:09:03 CET 
(In reply to David Walser from comment #4)
> CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned:
> http://openwall.com/lists/oss-security/2017/01/11/6

Fedora has issued an advisory for this on January 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7EO3ZLOT4QLXSD2D24FUGV4DDLIMI5ZK/

LWN reference:
https://lwn.net/Vulnerabilities/711586/
Nicolas Lécureuil 2017-08-11 15:07:59 CEST

CC: (none) => mageia
Summary: libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89]

Nicolas Lécureuil 2017-08-11 15:08:21 CEST

Summary: libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]]

Nicolas Lécureuil 2017-08-11 15:08:37 CEST

Summary: libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]] => libgit2 new security issues CVE-2016-856[89]]

Comment 6 Nicolas Lécureuil 2017-08-11 15:22:54 CEST 
CVE-2016-8568 and CVE-2016-8569 are now fixed on svn

src.rpm:
         libgit2-0.21.1-3.2.mga5

Assignee: thierry.vignaud => qa-bugs

Comment 7 David Walser 2017-08-11 15:49:35 CEST 
Thanks.  We can't assign two bugs to QA for the same package though.

Assignee: qa-bugs => thierry.vignaud
Depends on: (none) => 19792

Comment 8 Nicolas Lécureuil 2017-08-11 15:57:13 CEST 
can't we push/test all in once ?
Comment 9 David Walser 2017-08-12 02:13:00 CEST 
(In reply to Nicolas Lécureuil from comment #8)
> can't we push/test all in once ?

Yeah, we just have to link the bugs and assign only one of them to QA (the one that blocks the other).  I made this one depend on the other and we'll have QA test it in Bug 19792.
Comment 10 David Walser 2017-08-29 22:40:22 CEST 
Fixed in:
http://advisories.mageia.org/MGASA-2017-0319.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED