Bug 27411

Fedora has issued an advisory for this on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/

Hi, thanks for reporting this bug.
Assigned to all package maintainer, as no registered one.
CC'ed recent commiter.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => nicolas.salguero
Keywords: (none) => Triaged
Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. (CVE-2020-26154)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007540.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/
========================

Updated packages in core/updates_testing:
========================
lib(64)proxy1-0.4.15-4.2.mga7
libproxy-utils-0.4.15-4.2.mga7
python2-libproxy-0.4.15-4.2.mga7
python3-libproxy-0.4.15-4.2.mga7
libproxy-perl-0.4.15-4.2.mga7
libproxy-gxsettings-0.4.15-4.2.mga7
lib(64)proxy-gnome-0.4.15-4.2.mga7
lib(64)proxy-kde-0.4.15-4.2.mga7
lib(64)proxy-networkmanager-0.4.15-4.2.mga7
lib(64)proxy-webkit-0.4.15-4.2.mga7
libproxy-pacrunner-0.4.15-4.2.mga7
lib(64)proxy-devel-0.4.15-4.2.mga7

from SRPM:
libproxy-0.4.15-4.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Keywords: Triaged => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-26154
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: libproxy-0.4.15-10.mga8.src.rpm => libproxy-0.4.15-4.1.mga7.src.rpm

$ uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The following 6 packages are going to be installed:

- lib64proxy-gnome-0.4.15-4.2.mga7.x86_64
- lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64
- lib64proxy-webkit-0.4.15-4.2.mga7.x86_64
- lib64proxy1-0.4.15-4.2.mga7.x86_64
- libproxy-gxsettings-0.4.15-4.2.mga7.x86_64
- libproxy-utils-0.4.15-4.2.mga7.x86_64

19KB of additional disk space will be used.

--note I'm updating the already installed modules from 4.1 to 4.2


REbooted

Utilities seem to be working and no network connection issues.

CC: (none) => brtians1

(In reply to Brian Rockwell from comment #4)
> $ uname -a
> Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux
> 
> The following 6 packages are going to be installed:
> 
> - lib64proxy-gnome-0.4.15-4.2.mga7.x86_64
> - lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64
> - lib64proxy-webkit-0.4.15-4.2.mga7.x86_64
> - lib64proxy1-0.4.15-4.2.mga7.x86_64
> - libproxy-gxsettings-0.4.15-4.2.mga7.x86_64
> - libproxy-utils-0.4.15-4.2.mga7.x86_64
> 
> 19KB of additional disk space will be used.
> 
> --note I'm updating the already installed modules from 4.1 to 4.2
> 
> 
> REbooted
> 
> Utilities seem to be working and no network connection issues.

Does your system use a proxy on your network to go online?
I don't see this on your above comment.

Meanwhile, using a squid server on my M7 system listening to my private network (on 198.168.1.254).
Redirecting network from an other M7 system updated (1982.168.1.2), to this server under Plasma Systemsettings and /etc/resolv.conf to ask DNS to gateway/proxy (192.168.1.254):
HTTP goes through squid and correctly logged.

MGA7-64-OK

Validating update.
Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0399.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED