| Summary: | quassel new security issues fixed upstream in 0.12.5 (CVE-2018-1000178 and CVE-2018-1000179) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK | ||
| Source RPM: | quassel-0.12.4-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-04-27 16:57:40 CEST
David Walser
2018-04-27 16:57:49 CEST
Whiteboard:
(none) =>
MGA5TOO Mageia 6 build queued by David; BS is stuck. quassel-0.12.5-1.mga6 quassel-common-0.12.5-1.mga6 quassel-client-0.12.5-1.mga6 quassel-core-0.12.5-1.mga6 from quassel-0.12.5-1.mga6.src.rpm unfortablely the two patches doesn't apply in 0.10.1 release from mga5! CVE assignments: http://openwall.com/lists/oss-security/2018/05/01/1 I see only a few hunks fail in mga5, so a backport should be possible. Will try to look at it later. Summary:
quassel new security issues fixed upstream in 0.12.5 =>
quassel new security issues fixed upstream in 0.12.5 (CVE-2018-1000178 and CVE-2018-1000179) That wasn't too bad. Advisory: ======================== Updated quassel packages fix security vulnerabilities: A heap corruption exists in quassel version 0.12.4 in quasselcore that allows an attacker to execute code remotely (CVE-2018-1000178). A NULL Pointer Dereference exists in quassel version 0.12.4 in the quasselcore that allows an atacker to denial of service by attempting a login when the database is not initialized (CVE-2018-1000179). The Mageia 5 package has been patched to fix these issues and the Mageia 6 package has been upgraded to version 0.12.5, which also has other fixes and improvements. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000179 http://openwall.com/lists/oss-security/2018/05/01/1 https://quassel-irc.org/node/130 ======================== Updated packages in core/updates_testing: ======================== quassel-0.10.1-5.3.mga5 quassel-common-0.10.1-5.3.mga5 quassel-client-0.10.1-5.3.mga5 quassel-core-0.10.1-5.3.mga5 quassel-0.12.5-1.mga6 quassel-common-0.12.5-1.mga6 quassel-client-0.12.5-1.mga6 quassel-core-0.12.5-1.mga6 from SRPMS: quassel-0.10.1-5.3.mga5.src.rpm quassel-0.12.5-1.mga6.src.rpm CC:
(none) =>
geiger.david68210 Debian has issued an advisory for this on May 2: https://www.debian.org/security/2018/dsa-4189 MGA5-32 on Dell Latitude D600 Xfce No installation issues. Could use quassel to connect to irc.freenode.org channel #mageia-qa. I see the list of users, I can post, but no one responded> Seems OK to me. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-32-OK Mageia 6, x86_64. Installed and updated the packages. Before the update ran the wizard. $ quassel Opened the gui at freenode. Connected to #mageia-qa after giving my password. Nobody about - talking to myself. It works OK. CC:
(none) =>
tarazed25
Lewis Smith
2018-05-13 19:47:05 CEST
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0243.html Status:
NEW =>
RESOLVED |