Bug 29350

Summary: c-ares new security issue CVE-2021-3672
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: c-ares-1.17.1-1.mga8.src.rpm CVE: CVE-2021-3672
Status comment:

Description David Walser 2021-08-10 15:51:31 CEST 
Upstream has issued an advisory today (August 10):
https://c-ares.haxx.se/adv_20210810.html

The issue is fixed upstream in 1.17.2.

Mageia 8 is also affected.
David Walser 2021-08-10 15:51:49 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.17.2

Comment 1 David Walser 2021-08-10 15:55:04 CEST 
Debian and Ubuntu have issued advisories for this today (August 10):
https://www.debian.org/security/2021/dsa-4954
https://ubuntu.com/security/notices/USN-5034-1

Summary: c-ares new security issue => c-ares new security issue CVE-2021-3672

Comment 2 Marja Van Waes 2021-08-10 19:52:16 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2021-08-18 16:27:31 CEST 
openSUSE has issued an advisory for this today (August 18):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/
Comment 4 David Walser 2021-08-18 16:34:11 CEST 
Fedora has issued an advisory for this today (August 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/

Severity: normal => major

Comment 5 Nicolas Salguero 2021-08-30 15:14:56 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Missing input validation on hostnames returned by DNS servers. (CVE-2021-3672)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672
https://c-ares.haxx.se/adv_20210810.html
https://www.debian.org/security/2021/dsa-4954
https://ubuntu.com/security/notices/USN-5034-1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/
========================

Updated packages in core/updates_testing:
========================
lib(64)cares2-1.17.1-1.1.mga8
lib(64)cares-devel-1.17.1-1.1.mga8

from SRPM:
c-ares-1.17.1-1.1.mga8.src.rpm

Version: Cauldron => 8
Status comment: Fixed upstream in 1.17.2 => (none)
CVE: (none) => CVE-2021-3672
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 6 Herman Viaene 2021-09-30 15:24:24 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 27654 Comment 3 fr testing, omitting the traces.
$ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme

09/30 15:13:54 [NOTICE] Downloading 1 item(s)

09/30 15:13:55 [NOTICE] Download afgerond: /home/tester8/Documenten/mirror.readme

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
9cbc3d|OK  |    15KiB/s|/home/tester8/Documenten/mirror.readme

Status Legend:
(OK):download completed.
Downloaded file looks OK.

# urpmi --aria2 guava
Pakket guava-25.0-6.mga8.noarch is reeds geïnstalleerd
Markeren van guava als handmatig geïnstalleerd. Het zal niet automatisch wees gemaakt worden.
writing /var/lib/rpm/installed-through-deps.list
Checked a few of the files listed in MCC: they are were expeted.
OK, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2021-10-02 05:30:14 CEST 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-02 19:22:12 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2021-10-02 20:58:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0453.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED