Bug 25642

Summary: libsoup new security issue CVE-2019-17266
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, mhrambo3501, olav, sysadmin-bugs, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libsoup-2.66.1-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-10-31 05:03:40 CET 
Ubuntu has issued an advisory on October 9:
https://usn.ubuntu.com/4152-1/

The issue was fixed upstream in 2.68.1.
Comment 1 Lewis Smith 2019-10-31 09:50:55 CET 
This package has no maintainer, so assigning this bug globally. CC'ing Olav as having seen it often before.

CC: (none) => olav
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2019-10-31 17:03:55 CET 
Patched package uploaded for Mageia 7.

Advisory:
========================

Updated libsoup package fixes security vulnerability:

It was discovered that libsoup incorrectly handled parsing certain NTLM messages. If a user or automated system were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to cause a denial of service (CVE-2019-17266).


References:
https://usn.ubuntu.com/4152-1/
https://nvd.nist.gov/vuln/detail/CVE-2019-17266
========================

Updated packages in core/updates_testing:
========================
libsoup-i18n-2.66.1-2.1.mga7.noarch.rpm
lib64soup2.4_1-2.66.1-2.1.mga7
lib64soup-devel-2.66.1-2.1.mga7
lib64soup-gir2.4-2.66.1-2.1.mga7

from libsoup-2.66.1-2.1.mga7.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=23275#c4

Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo

Comment 3 Brian Rockwell 2019-11-01 21:08:01 CET 
$ uname -a
Linux linux.local 5.3.7-desktop-4.mga7 #1 SMP Thu Oct 24 20:11:12 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

This is a GNOME DE

The following 3 packages are going to be installed:

- lib64soup-gir2.4-2.66.1-2.1.mga7.x86_64
- lib64soup2.4_1-2.66.1-2.1.mga7.x86_64
- libsoup-i18n-2.66.1-2.1.mga7.noarch

--rebooted

tested shotwell.  Seems to work

MGA7-64-OK

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Thomas Backlund 2019-11-02 16:51:36 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 4 Mageia Robot 2019-11-02 17:56:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0312.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED