| Summary: | ganglia-web new security issues CVE-2019-2037[89] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | Johnny A. Solbu <cooker> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | nicolas.salguero, ouaurelien |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2019-20379 | ||
| See Also: | https://github.com/ganglia/ganglia-web/issues/351 | ||
| Whiteboard: | |||
| Source RPM: | ganglia-web-3.7.4-4.mga8.src.rpm | CVE: | CVE-2019-20379 |
| Status comment: | |||
|
Description
Zombie Ryushu
2020-12-06 03:06:47 CET
Zombie Ryushu
2020-12-06 03:06:58 CET
CVE:
(none) =>
CVE-2019-20379 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20379 Source RPM:
ganglia-web-3.7.4-4.mga8.src =>
ganglia-web-3.7.4-4.mga8.src.rpm Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
ouaurelien
David Walser
2020-12-27 22:33:12 CET
Status comment:
(none) =>
No fix available as of end of 2020
David Walser
2020-12-28 17:10:21 CET
Whiteboard:
MGA7TOO =>
MGA8TOO, MGA7TOO Link to upstream bug repport See Also:
(none) =>
https://github.com/ganglia/ganglia-web/issues/351 Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Whiteboard:
MGA8TOO, MGA7TOO =>
MGA8TOO SUSE has issued an advisory on November 8: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012840.html CVE-2019-20378 appears to be related and to have been fixed last year (and in 3.7.5), and CVE-2019-20379 (or I may have the CVEs backwards) appears to require an additional patch. Status comment:
No fix available as of end of 2020 =>
Fixed upstream in 3.7.5 and/or in patch available from SUSE (In reply to David Walser from comment #5) > SUSE has issued an advisory on November 8: > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012840. > html > > CVE-2019-20378 appears to be related and to have been fixed last year (and > in 3.7.5), and CVE-2019-20379 (or I may have the CVEs backwards) appears to > require an additional patch. v3.7.5 submitted to cauldron. Do you have a link to any patches? My searches finds that upstream can't reproduce the issue… I don't see any patches on top of 3.7.5 added in openSUSE Factory. See if any of the fixes referenced here are missing from 3.7.5: https://bugzilla.suse.com/show_bug.cgi?id=1160761 (In reply to David Walser from comment #7) > I don't see any patches on top of 3.7.5 added in openSUSE Factory. > > See if any of the fixes referenced here are missing from 3.7.5: > https://bugzilla.suse.com/show_bug.cgi?id=1160761 I just viewed the spec diff SuSE claim fixes the issue, which is this one: https://build.opensuse.org/request/show/1032451 This is BULLSHIT! There is no patch changes of any kind! No, the update to 3.7.5 was actually the commit before that one, but it was just a simple update to 3.7.5. I'm guessing that the patches are upstream in 3.7.5, but I haven't checked to verify that. Mageia 8 EOL. Version:
Cauldron =>
8 |