Bug 25799

Summary: u-boot new security issues CVE-2019-1310[3-6]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Olivier Blin <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, ouaurelien, rihoward1
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: u-boot-20180507-3.mga7.src.rpm CVE:
Status comment: Patches available from upstream

Description David Walser 2019-12-03 17:46:51 CET
openSUSE has issued an advisory on October 1:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00004.html

Mageia 7 is also affected.
David Walser 2019-12-03 17:47:01 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-03 19:14:25 CET
Assigning to registered - also most recent - maintainer, Olivier.

Assignee: bugsquad => mageia

Comment 2 r howard 2019-12-03 20:14:17 CET
There are 4 CVE related to this:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13106

The fixes were applied to the denx u-boot master branch in July 2019.

CC: (none) => rihoward1

Comment 3 David Walser 2019-12-03 21:50:46 CET
Thanks.

Summary: u-boot new security issues CVE-2019-13104 and CVE-2019-13106 => u-boot new security issues CVE-2019-1310[3-6]

Comment 4 Aurelien Oudelet 2020-09-23 18:17:45 CEST
u-boot-tools-20180507-4.mga8.src.rpm in Cauldron.

Source RPM: u-boot-20180507-3.mga7.src.rpm => u-boot-tools-20180507-3.mga7.src.rpm
CC: (none) => ouaurelien

David Walser 2020-09-23 18:31:46 CEST

Source RPM: u-boot-tools-20180507-3.mga7.src.rpm => u-boot-20180507-3.mga7.src.rpm

Comment 5 David Walser 2020-09-23 18:32:29 CEST
No, it's u-boot, not u-boot-tools.
Comment 6 Aurelien Oudelet 2020-10-06 16:27:52 CEST
U-Boot 2020.10 is released upstream.
Comment 7 Nicolas Lécureuil 2021-01-06 18:56:22 CET
CVE-2019-13103 : Fixed in cauldron
https://gitlab.denx.de/u-boot/u-boot/commit
/232e2f4fd9a24bf08215ddc8c53ccadffc841fb5

CVE-2019-13104 : Fixed in cauldron
https://gitlab.denx.de/u-boot/u-boot/commit/878269dbe74229005dd7f27aca66c554e31dad8e


CVE-2019-13105 : Fixed in cauldron
https://gitlab.denx.de/u-boot/u-boot/commit/6e5a79de658cb1c8012c86e0837379aa6eabd024

CVE-2019-13106 : Fixed in cauldron
https://gitlab.denx.de/u-boot/u-boot/commit/e205896c5383c938274262524adceb2775fb03ba

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

David Walser 2021-01-06 23:15:51 CET

Status comment: (none) => Patches available from upstream

Comment 8 David Walser 2021-07-01 18:20:18 CEST
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED