| Summary: | nginx, sendmail, vsftpd new security issue CVE-2021-3618 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, cjw, davidwhodgins, mageia, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | nginx-1.20.1-1.mga9.src.rpm, sendmail-8.16.1-1.mga8.src.rpm, vsftpd-3.0.3-11.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-07-04 21:13:14 CEST
David Walser
2021-07-04 21:13:44 CEST
Status comment:
(none) =>
Fixed upstream in vsftpd 3.0.4, nginx 1.21.0, sendmail 8.17 Given the 3 SRPMS involved (of which one has no obvious maintainer), assigning this globally; CC'ing Stig for nginx, cjw for sendmail. CC:
(none) =>
cjw, smelror Regarding nginx, it's probably fixed in 1.20.1 as well. 1.21.0 is their development version that I don't want to push to mga8. Yes. "nginx-1.20.1 stable and nginx-1.21.0 mainline versions have been released, with a fix for the 1-byte memory overwrite vulnerability in resolver (CVE-2021-23017)." https://nginx.org/ Cauldron has already been updated to 1.20.1. Looks like it's been updated with an upstream patch for mga8 by David Walser on 2021-06-28. ------------------------------------------------------------------------ r1734115 | luigiwalser | 2021-06-28 18:38:21 +0200 (Mon, 28 Jun 2021) | 1 line add upstream patch to fix CVE-2021-23017 Whiteboard:
MGA8TOO =>
(none) You got the wrong CVE (and there's two other packages to fix). See the RedHat bug for a link to the nginx commit that fixed this issue. Whiteboard:
(none) =>
MGA8TOO Fedora has issued an advisory for vsftpd today (October 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TKXMYKALTHIBJLDHQPBKNQK2FWVOSIG7/ fixed in cauldron Whiteboard:
MGA8TOO =>
(none) From: https://security-tracker.debian.org/tracker/CVE-2021-3618 this is fixed in sendmail 8.16.1 ( so mga8 is not affected ). src: - nginx-1.18.0-5.2.mga8 - vsftpd-3.0.5-1.mga8 Status comment:
Fixed upstream in vsftpd 3.0.4, nginx 1.21.0, sendmail 8.17 =>
(none) MGa8-64, gnome To satisfy dependencies, the following package(s) also need to be installed: - lib64pcre16_0-8.44-1.mga8.x86_64 - lib64pcre32_0-8.44-1.mga8.x86_64 - lib64pcreposix1-8.44-1.mga8.x86_64 - pcre-8.44-1.mga8.x86_64 - webserver-base-2.0-15.mga8.noarch - and of course nginx -- rebooted went into services and started nginx Welcome to nginx 1.18.0 on Mageia! CC:
(none) =>
brtians1 MG8-64, Gnome installed vsftpd started it in services realized I needed to configure it edited the vsftpd.conf file restarted service test ftp worked sendmail - do I need to test this? No, Sendmail apparently didn't need to be updated. Whiteboard:
(none) =>
MGA8-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2021-12-08 01:21:08 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0540.html Resolution:
(none) =>
FIXED |