Bug 29092

Summary: libgrss new security issue CVE-2016-20011
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: libgrss-0.7.0-4.mga8.src.rpm CVE: CVE-2016-20011
Status comment:

Description David Walser 2021-06-08 03:09:00 CEST 
A security issue in libgrss has been reported:
https://bugzilla.gnome.org/show_bug.cgi?id=772647
https://gitlab.gnome.org/GNOME/libgrss/-/issues/4

A patch to mitigate the issue is available at:
https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7.patch

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-08 03:09:07 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-08 21:43:39 CEST 
Olav is both registered & active maintainer of this, so assigning the bug accordingly.

Assignee: bugsquad => olav

Comment 2 David Walser 2021-06-28 20:02:28 CEST 
Advisory:
========================

Updated libgrss packages fix security vulnerability:

libgrss does not perform any TLS certificate verification because it uses the
deprecated SoupSessionAsync, which requires manually enabling certificate
verification, rather than a modern SoupSession that has good defaults
(CVE-2016-20011).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20011
https://gitlab.gnome.org/GNOME/libgrss/-/issues/4
========================

Updated packages in core/updates_testing:
========================
libgrss0-0.7.0-2.1.mga7
libgrss-devel-0.7.0-2.1.mga7
libgrss0-0.7.0-4.1.mga8
libgrss-devel-0.7.0-4.1.mga8

from SRPMS:
libgrss-0.7.0-2.1.mga7.src.rpm
libgrss-0.7.0-4.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: olav => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 3 Herman Viaene 2021-07-09 10:52:42 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues, no previous updates on this.
# urpmq --whatrequires lib64grss0
lib64grss0
tracker-miners
That's the same league as the update on libosinfo in bug 25112, so again OK on clean install.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 4 Herman Viaene 2021-07-12 13:38:06 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Clean install. OK.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 5 Thomas Andrews 2021-07-12 14:59:14 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-12 20:53:36 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2016-20011

Comment 6 Mageia Robot 2021-07-12 22:27:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0343.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED