Bug 29025

Summary: perl-Net-CIDR-Lite new security issue fixed upstream in 0.22
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-Net-CIDR-Lite-0.210.0-9.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-29 22:21:57 CEST 
Fedora has issued an advisory on April 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO7X4TBRIVL4G3GLZBEHFXC7IXMBAMW/

The issue is fixed upstream in 0.22.
David Walser 2021-05-29 22:22:09 CEST

Whiteboard: (none) => MGA7TOO

David Walser 2021-05-30 05:00:52 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 David Walser 2021-07-01 18:55:09 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2021-07-23 18:10:08 CEST 
version 0.22 uploaded in mga8


src:
    - perl-Net-CIDR-Lite-0.220.0-1.mga8

Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2021-07-23 18:22:35 CEST 
rhbz reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1961865

Severity: normal => major

Comment 4 Aurelien Oudelet 2021-07-23 22:24:47 CEST 
Advisory:
========================

Updated perl-Net-CIDR-Lite package fixes a security vulnerability:

It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP
addresses with IP octets containing leading zeros.  Leading zeros were ignored,
while the underlying system can treat such octets as octal numbers and interpret
them differently.  For example, IP address of 010.0.0.1 was considered by Net
CIDR-Lite to be the same address as 10.0.0.1, while system may consider it to be
IP address 8.0.0.1 (rhbz 1961865).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29025
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO7X4TBRIVL4G3GLZBEHFXC7IXMBAMW/
 - https://bugzilla.redhat.com/show_bug.cgi?id=1961865
========================

Updated package in core/updates_testing:
========================
perl-Net-CIDR-Lite-0.220.0-1.mga8

from SRPM:
perl-Net-CIDR-Lite-0.220.0-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 5 Herman Viaene 2021-07-27 15:40:55 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Checked that MCC - Networkcenter is not disturbed by i (a wild guess), otherwise OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Aurelien Oudelet 2021-07-27 21:06:04 CEST 
Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2021-07-27 22:23:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0376.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED