Bug 27752

Summary: db48 new security issue CVE-2019-2708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, ouaurelien, shlomif, thierry.vignaud
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: db48-4.8.30-24.mga7.src.rpm CVE:
Status comment: db48 needs patch to be backported
Bug Depends on: 27960    
Bug Blocks:    

Description David Walser 2020-12-05 18:11:06 CET 
Thierry fixed this issue in Cauldron:
https://bugzilla.redhat.com/show_bug.cgi?id=1853242

I don't know if we have other db versions that are affected too.
Comment 1 David Walser 2020-12-05 18:18:09 CET 
db1 and db48 are probably also affected.

Version: 7 => Cauldron
Source RPM: db53-5.3.28-17.mga7.src.rpm => db1-1.85-29.mga7.src.rpm, db48-4.8.30-24.mga7.src.rpm, db53-5.3.28-17.mga7.src.rpm
Whiteboard: (none) => MGA7TOO

David Walser 2020-12-05 18:18:22 CET

CC: (none) => thierry.vignaud

Comment 2 Aurelien Oudelet 2020-12-07 10:29:18 CET 
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => thierry.vignaud
CC: (none) => ouaurelien, shlomif

Comment 3 Thierry Vignaud 2020-12-07 14:33:26 CET 
I've backported it & submited it for mga7:  db53-5.3.28-17.1.mga7
Comment 4 David Walser 2020-12-07 14:44:29 CET 
Thanks, what about db1 and db48?
Comment 5 David Walser 2020-12-07 15:59:58 CET 
Packages list for db53 update:
libdb5.3-5.3.28-17.1.mga7
libdbcxx5.3-5.3.28-17.1.mga7
libdbsql5.3-5.3.28-17.1.mga7
libdbjava5.3-5.3.28-17.1.mga7
libdbtcl5.3-5.3.28-17.1.mga7
db53-utils-5.3.28-17.1.mga7
db53_recover-5.3.28-17.1.mga7
libdb5.3-devel-5.3.28-17.1.mga7
libdb5.3-static-devel-5.3.28-17.1.mga7

from db53-5.3.28-17.1.mga7.src.rpm
Comment 6 Thierry Vignaud 2020-12-07 18:04:30 CET 
(In reply to David Walser from comment #4)
> Thanks, what about db1 and db48?

For db1, the code is vastly different.
It looks like nothing more depends on db1, so we could actually drop it from the distro (woot!)
Comment 7 David Walser 2020-12-16 15:46:17 CET 
Fedora has issued an advisory for this today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQFKX6NKU2DCW5CTCHQSOJJDFVRVTPO6/
David Walser 2020-12-27 21:44:34 CET

Status comment: (none) => db1 needs to be dropped, db48 needs to be patched

Comment 8 Nicolas Lécureuil 2020-12-27 23:03:42 CET 
db1 dropped

CC: (none) => mageia

Nicolas Lécureuil 2020-12-27 23:03:49 CET

Status comment: db1 needs to be dropped, db48 needs to be patched => db48 needs to be patched

Comment 9 Nicolas Lécureuil 2020-12-27 23:20:04 CET 
db1 support removed from db48.
Comment 10 Nicolas Lécureuil 2020-12-27 23:36:18 CET 
thierry, do you think you can patch db48 for this ?
David Walser 2020-12-28 15:32:19 CET

Depends on: (none) => 27960

Comment 11 David Walser 2020-12-28 15:33:23 CET 
db53 updated moved to Bug 27960.

Status comment: db48 needs to be patched => db48 needs patch to be backported
Source RPM: db1-1.85-29.mga7.src.rpm, db48-4.8.30-24.mga7.src.rpm, db53-5.3.28-17.mga7.src.rpm => db48-4.8.30-24.mga7.src.rpm
Summary: db53 new security issue CVE-2019-2708 => db48 new security issue CVE-2019-2708

Comment 12 Nicolas Lécureuil 2021-01-01 23:55:27 CET 
db48 is removed from cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 13 David Walser 2021-01-01 23:59:50 CET 
Nice.  It might make sense to obsolete db48-utils in db53-utils, but I wouldn't obsolete the libs, I'd just delete them as you did.
Comment 14 David Walser 2021-07-01 18:25:32 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD