Bug 28953

Summary: networkmanager new security issue CVE-2021-20297
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, bequimao.de, jani.valimaa, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: networkmanager-1.26.6-1.mga8.src.rpm CVE:
Status comment:
Attachments: System info, list of installed packages

Description David Walser 2021-05-20 19:48:45 CEST 
RedHat has issued an advisory on May 18:
https://access.redhat.com/errata/RHSA-2021:1574

The issue is fixed upstream in 1.30.0 and the upstream commit that fixed the issue is referenced in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1943282

Mageia 7 is also affected.
David Walser 2021-05-20 19:48:58 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 Aurelien Oudelet 2021-05-21 03:07:29 CEST 
Hi, thanks reporting this.

Assigning to registered maintainer.

CC: (none) => ouaurelien
Assignee: bugsquad => jani.valimaa

Comment 2 David Walser 2021-05-28 21:06:23 CEST 
Ubuntu has issued an advisory for this on April 14:
https://ubuntu.com/security/notices/USN-4914-1
Comment 3 Jani Välimaa 2021-05-29 19:59:24 CEST 
nm with a patch from upstream in mga8 core/updates_testing.

SRPMS:
networkmanager-1.26.6-1.1.mga8

RPMS:
lib(64)nm0-1.26.6-1.1.mga8
lib(64)nm-devel-1.26.6-1.1.mga8
lib(64)nm-gir1.0-1.26.6-1.1.mga8
networkmanager-1.26.6-1.1.mga8
networkmanager-adsl-1.26.6-1.1.mga8
networkmanager-bluetooth-1.26.6-1.1.mga8
networkmanager-ppp-1.26.6-1.1.mga8
networkmanager-team-1.26.6-1.1.mga8
networkmanager-tui-1.26.6-1.1.mga8
networkmanager-wifi-1.26.6-1.1.mga8
networkmanager-wwan-1.26.6-1.1.mga8

Assignee: jani.valimaa => qa-bugs

Comment 4 David Walser 2021-05-30 04:47:52 CEST 
You forgot Mageia 7.  Please leave yourself in CC when assigning to QA also.

Assignee: qa-bugs => jani.valimaa

Comment 5 David Walser 2021-06-28 18:20:42 CEST 
But introduced in 1.26.0, so Mageia 7 is not affected.

Whiteboard: MGA7TOO => (none)
Status comment: Patch available from upstream => (none)
Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Comment 6 Ulrich Beckmann 2021-07-02 15:18:49 CEST 
Created attachment 12840 [details]
System info, list of installed packages


Tested on a Sony Vaio E series notebook.
NetworkManager was installed and configured before. No regression found.

Ulrich

CC: (none) => bequimao.de

Comment 7 Thomas Andrews 2021-07-03 19:05:37 CEST 
HP Probook 6550b, 64-bit Plasma system.

Network Manager already installed and operating before the update. After the update, I rebooted to make sure the connection would be established at boot. Also, I was able to connect to both frequencies of my network, and the signal of another network is detected, as usual.

Looks OK to me. With two good tests, I'm validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-04 02:58:18 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-07-04 04:15:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0309.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED