| Summary: | spice new security issue CVE-2021-20201 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bequimao.de, herman.viaene, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | spice-0.14.3-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Log of installation/upgrade | ||
|
Description
David Walser
2021-05-19 19:55:06 CEST
David Walser
2021-05-19 19:55:20 CEST
Whiteboard:
(none) =>
MGA7TOO Assigning to Thierry: you did in Cauldron the 0.14.3 update, and the recent 0.15.0 one. @DavidW : will that do the job of 0.14.92 ? Assignee:
bugsquad =>
thierry.vignaud openSUSE has issued an advisory for this on June 17: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AINSWYQLD5FH4GUOEP5FWWA5CMFHTUDX/ Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Whiteboard:
MGA7TOO =>
(none)
Nicolas Lécureuil
2021-07-19 19:52:56 CEST
CC:
(none) =>
mageia Fixed package pushed in mga8:
src:
- spice-0.14.3-3.1.mga8Source RPM:
spice-protocol-0.14.3-3.mga8.src.rpm =>
spice-0.14.3-3.mga8.src.rpm spice-client-0.14.3-3.1.mga8 libspice-server-devel-0.14.3-3.1.mga8 libspice-server1-0.14.3-3.1.mga8 from spice-0.14.3-3.1.mga8.src.rpm MGA8-64 Plasmaon Lenovo B50 No installation issues. This laptop is not sufficuently equipped to run VM's. CC:
(none) =>
herman.viaene
Ulrich Beckmann
2021-07-20 18:07:08 CEST
CC:
(none) =>
bequimao.de Advisory: ======================== Updated spice packages fix a security vulnerability: A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection (CVE-2021-20201). References: - https://bugs.mageia.org/show_bug.cgi?id=28947 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20201 - https://access.redhat.com/errata/RHSA-2021:1924 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AINSWYQLD5FH4GUOEP5FWWA5CMFHTUDX/ ======================== Updated packages in core/updates_testing: ======================== lib(64)spice-server-devel-0.14.3-3.1.mga8 lib(64)spice-server1-0.14.3-3.1.mga8 spice-client-0.14.3-3.1.mga8 from SRPM: spice-0.14.3-3.1.mga8.src.rpm CC:
(none) =>
ouaurelien Created attachment 12901 [details]
Log of installation/upgrade
Tested Spice with Virt-Manager, Qemu/KVM
Host is Mageia 8 KDE Plasma, guest also Mageia 8 KDE Plasma
Shared folder, ok
Clipboard sharing, both directions ok
USB redirection, created and deleted files on an usb flash drive - ok.
I will give details of host and guest configuration later.
Best regards,
Ulrich
I documented the needs and proceedings to get it running in the international forum https://forums.mageia.org/en/viewtopic.php?f=41&t=14293 Setting the bug report to ok! Finally! Ulrich Whiteboard:
(none) =>
MGA8-64-OK
David Walser
2021-08-14 21:16:53 CEST
Keywords:
(none) =>
validated_update
David Walser
2021-08-14 21:50:48 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0405.html Status:
NEW =>
RESOLVED |