| Summary: | sofia-sip new security issue CVE-2023-32307 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | sofia-sip-1.13.14-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-06-16 00:08:33 CEST
David Walser
2023-06-16 00:08:45 CEST
Whiteboard:
(none) =>
MGA8TOO Another one for you, David; since you have done all updates for this for several versions, since 1.13.10. Assignee:
bugsquad =>
geiger.david68210 Done for both mga8 and cauldron! Freeze_move requested for cauldron. Fixed for cauldron Version:
Cauldron =>
8 Assigning to QA, Packages in 8/Core/Updates_testing: ====================== libsofia-sip-devel-1.12.11-10.4.mga8 libsofia-sip-static-devel-1.12.11-10.4.mga8 libsofia-sip0-1.12.11-10.4.mga8 lib64sofia-sip-devel-1.12.11-10.4.mga8 sofia-sip-1.12.11-10.4.mga8 lib64sofia-sip-static-devel-1.12.11-10.4.mga8 lib64sofia-sip0-1.12.11-10.4.mga8 From SRPMS: sofia-sip-1.12.11-10.4.mga8.src.rpm Assignee:
geiger.david68210 =>
qa-bugs
David Walser
2023-06-17 18:57:53 CEST
CC:
(none) =>
geiger.david68210 mga8, x64 These libraries provide SIP user agent services for various personal intercommunication services such as VoIP and Instant Messaging. They would be used as building blocks in a development environment intended to support such services and as such cannot be readily tested in QA. There is a complex PoC which again is outside our remit so all we can do is guarantee a smooth update. $ rpm -qa | grep sofia lib64sofia-sip-devel-1.12.11-10.2.mga8 lib64sofia-sip-static-devel-1.12.11-10.2.mga8 sofia-sip-1.12.11-10.2.mga8 telepathy-sofiasip-0.7.1-10.mga8 lib64sofia-sip0-1.12.11-10.2.mga8 Updated the 64-bit packages via qarepo and MageiaUpdate. Something odd in the second stage. "Downloader cannot handle metalink..." and curl reported four failures. Repeated MageiaUpdate from the OK and this time there was no problem. $ rpm -qa | grep sofia-sip lib64sofia-sip-static-devel-1.12.11-10.4.mga8 sofia-sip-1.12.11-10.4.mga8 lib64sofia-sip0-1.12.11-10.4.mga8 lib64sofia-sip-devel-1.12.11-10.4.mga8 Advice? CC:
(none) =>
tarazed25 sofia-sip is used by telepathy-sofiasip. I don't know if you have a way to test that. Debian has issued an advisory for this on June 16: https://www.debian.org/security/2023/dsa-5431 Thanks Dave. I saw it at the buttom of my list, the only "external application", and after a brief look at what it does decided it was out of my league. I figured that you have to have some sort of development structure in place already for it to be useful. So a clean install it is - unless the glitch in MageiaUpdate counts against that.
Len Lawrence
2023-06-21 00:01:43 CEST
Whiteboard:
(none) =>
MGA8-64-OK Validating. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-06-27 22:28:17 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0209.html Resolution:
(none) =>
FIXED |