Bug 29023

Summary: perl-Net-Netmask new security issue CVE-2021-29424
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-Net-Netmask-1.910.400-3.mga8.src.rpm CVE: CVE-2021-29424
Status comment:

Description David Walser 2021-05-29 21:54:13 CEST 
Fedora has issued an advisory on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/

The issue is fixed upstream in 2.0.

Mageia 7 is also affected.
David Walser 2021-05-29 21:54:23 CEST

Status comment: (none) => Fixed upstream in 2.0
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-07-01 18:54:58 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2021-07-23 16:00:02 CEST 
New version pushed in mga8


src:
    - perl-Net-Netmask-2.0.100-1.mga8

Status comment: Fixed upstream in 2.0 => (none)
Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia

Comment 3 Aurelien Oudelet 2021-07-23 22:20:38 CEST 
Advisory:
========================

Updated perl-Net-Netmask package fixes a security vulnerability:

The Net::Netmask module before 2.0000 for Perl does not properly consider
extraneous zero characters at the beginning of an IP address string, which
(in some situations) allows attackers to bypass access control that is based
on IP addresses (CVE-2021-29424).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29023
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29424
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/
========================

Updated package in core/updates_testing:
========================
perl-Net-Netmask-2.0.100-1.mga8

from SRPM:
perl-Net-Netmask-2.0.100-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 4 Herman Viaene 2021-07-27 15:45:12 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Aurelien Oudelet 2021-07-27 21:07:57 CEST 
Validating.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-29424
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2021-07-27 22:23:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED