| Summary: | libksba new security issue CVE-2022-47629 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libksba-1.5.0-1.1.mga8.src.rpm | CVE: | CVE-2022-47629 |
| Status comment: | |||
|
Description
David Walser
2022-12-22 16:22:05 CET
David Walser
2022-12-22 16:22:23 CET
CVE:
CVE-2022-3515 =>
CVE-2022-47629 Nicolas, I know this SRPM is not your baby, but you did a similar CVE update to it not long ago, so have been here before, a very similar job. new version 1.6.2 for CVE... Assignee:
bugsquad =>
nicolas.salguero
Lewis Smith
2022-12-22 19:51:21 CET
CC:
nicolas.salguero =>
(none) Suggested advisory: ======================== The updated packages fix a security vulnerability: Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. (CVE-2022-47629) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47629 https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html https://www.debian.org/security/2022/dsa-5305 ======================== Updated packages in core/updates_testing: ======================== lib(64)ksba8-1.5.0-1.2.mga8 lib(64)ksba-devel-1.5.0-1.2.mga8 from SRPM: libksba-1.5.0-1.2.mga8.src.rpm Status:
NEW =>
ASSIGNED MGA8-64 MATE on Acer Aspire 5253 No installation issues Followed leads from bug 30975 Comment 32 and Comment 8 $ gpgconf --show-version * GnuPG 2.2.36 (491645b50) GNU/Linux * Libgcrypt 1.8.7 (04c156a4) version:1.8.7:10807:1.41-unknown:12900: cc:100300:gcc:10.3.0: ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20: pubkeys:dsa:elgamal:rsa:ecc: digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2: rnd-mod:egd:linux:unix: cpu-arch:x86: mpi-asm:amd64/mpih-add1.S:amd64/mpih-sub1.S:amd64/mpih-mul1.S:amd64/mpih-mul2.S:amd64/mpih-mul3.S:amd64/mpih-lshift.S:amd64/mpih-rshift.S: hwflist:intel-ssse3:intel-rdtsc: fips-mode:n:n: rng-type:standard:1:2010000:1: * GpgRT 1.41-unknown (0000000) * Libassuan 2.5.4 (e368b40) * KSBA 1.5.0 (9c0a818) * GNUTLS 3.6.15 $ gpgsm --gen-key > x.pem gpgsm (GnuPG) 2.2.36; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 1 What keysize do you want? (3072) Requested keysize is 3072 bits Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=<name>, O=thuis, C=unv Enter email addresses (end with an empty line): > <mail-address> > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Create self-signed certificate? (y/N) y These parameters are used: Key-Type: RSA Key-Length: 3072 Key-Usage: sign, encrypt Serial: random Name-DN: CN=<name>, O=thuis, C=unv Name-Email: <mail-address> Proceed with creation? (y/N) y Now creating self-signed certificate. This may take a while ... gpgsm: about to sign the certificate for key: &DA504B849C780A269CBBB4365E74F44B85F3871E gpgsm: certificate created Ready. So worked OK. CC:
(none) =>
herman.viaene Validating. Advisory in comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-12-30 21:28:13 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0485.html Status:
ASSIGNED =>
RESOLVED |