Bug 33012

Summary: clojure new security issue CVE-2024-22871
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: clojure-1.11.1-1.mga9.src.rpm CVE: CVE-2024-22871
Status comment:

Description Nicolas Salguero 2024-03-25 16:42:17 CET 
Fedora has issue an advisory on March 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRV/

The problem is fixed in version 1.11.2.

Mageia 9 is also affected.
Nicolas Salguero 2024-03-25 16:42:54 CET

CVE: (none) => CVE-2024-22871
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => clojure-1.11.1-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.11.2

Comment 1 Lewis Smith 2024-03-25 20:21:43 CET 
No one packager evident for this SRPM, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-03-26 11:16:23 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function. (CVE-2024-22871)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRV/
========================

Updated package in core/updates_testing:
========================
clojure-1.11.2-1.mga9

from SRPM:
clojure-1.11.2-1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.11.2 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-03-26 18:04:03 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-03-27 14:29:16 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
No previous updates or wiki. Googled and found https://clojure.org/guides/repl/basic_usage , so
$ clojure 
Clojure 1.11.2
user=> (+ 2 3)
5
user=> (defn factorial [n]
(if (= n 0)
  1
  (* n (factorial (dec n)))))
#'user/factorial#'user/factorial
user=> (factorial 10)
#'user/factorial
3628800
So good enough for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-03-27 15:02:10 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-03-27 20:25:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0093.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED