Bug 23436

Summary: gdm new security issues CVE-2018-14424 and CVE-2019-3825
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: GNOME maintainers <gnome>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11, mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: gdm-3.28.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-13 19:52:51 CEST 
A security issue in gdm has been made public today (August 13):
https://gitlab.gnome.org/GNOME/gdm/issues/401

Mageia 5 or Mageia 6 may also be affected.
Marja Van Waes 2018-08-13 21:35:25 CEST

CC: (none) => marja11
Assignee: bugsquad => gnome

Comment 1 David Walser 2018-08-13 23:08:14 CEST 
Ubuntu has issued an advisory for this today (August 13):
https://usn.ubuntu.com/3737-1/

Severity: normal => major

Comment 2 David Walser 2018-08-14 13:54:05 CEST 
Announcement of the issue with link to the fix:
http://openwall.com/lists/oss-security/2018/08/14/1
Comment 3 David Walser 2018-08-14 23:13:16 CEST 
Debian has issued an advisory for this on August 13:
https://www.debian.org/security/2018/dsa-4270

At least Mageia 6 is also affected.

Whiteboard: (none) => MGA6TOO

Comment 4 David Walser 2018-08-16 19:56:17 CEST 
I'm guessing gdm-3.29.91-1.mga7 fixes it (also fixed upstream in 3.28.3):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O375LD3DT2VXJF7MQAI3ORW6CNLS5CZE/

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 David Walser 2018-10-12 23:56:17 CEST 
openSUSE has issued an advisory for this on September 24:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00139.html
Comment 6 David Walser 2019-02-20 23:59:09 CET 
Ubuntu has issued an advisory today (February 20):
https://usn.ubuntu.com/3892-1/

Should be fixed in gdm-3.30.2-2.mga7 in Cauldron.

Summary: gdm new security issue CVE-2018-14424 => gdm new security issues CVE-2018-14424 and CVE-2019-3825

Comment 7 David Walser 2019-03-08 22:25:44 CET 
openSUSE has issued an advisory for the new CVE today (March 8):
https://lists.opensuse.org/opensuse-updates/2019-03/msg00041.html
Comment 8 David Walser 2019-03-12 22:47:15 CET 
Fedora has issued an advisory for the new CVE on March 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTST2DR6AX72XV76ZQCXME5PVKYDUVJK/

It is fixed in 3.30.3.
Comment 9 Mike Rambo 2019-11-06 13:35:31 CET 
Mageia 6 is EOL.

CC: (none) => mrambo
Resolution: (none) => OLD
Status: NEW => RESOLVED