| Summary: | guava new security issues CVE-2020-8908 and CVE-2023-2976 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | guava-31.0.1-3.mga9.src.rpm | CVE: | CVE-2020-8908, CVE-2023-2976 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-04-09 10:24:15 CEST
Nicolas Salguero
2024-04-09 10:24:49 CEST
Whiteboard:
(none) =>
MGA9TOO Assigning globally, & CC'ing NicolasL who is a recent comitter of this. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix security vulnerabilities: A bug that could allow an attacker with access to the machine to potentially access data in a temporary directory created by the Guava. (CVE-2020-8908) Predictable temporary files and directories used in FileBackedOutputStream. (CVE-2023-2976) References: https://lwn.net/Articles/968975/ ======================== Updated packages in core/updates_testing: ======================== guava-32.0.1-1.mga9 guava-javadoc-32.0.1-1.mga9 guava-testlib-32.0.1-1.mga9 from SRPM: guava-32.0.1-1.mga9.src.rpm Version:
Cauldron =>
9 Mageia9, x86_64 guava runs in an environment including Google and java and could be relevant to Android. For a complete outsider it is difficult to figure out exactly what its purpose or function is. /usr/share/doc/guava/README.md is not very helpful but these links may be: [guava-snapshot-api-docs]: https://guava.dev/releases/snapshot-jre/api/docs/ [guava-snapshot-api-diffs]: https://guava.dev/releases/snapshot-jre/api/diffs/ [Guava Explained]: https://github.com/google/guava/wiki/Home [Guava Beta Checker]: https://github.com/google/guava-beta-checker [using Guava in your build]: https://github.com/google/guava/wiki/UseGuavaInYourBuild [repackage]: https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-if-i-want-to-use-beta-apis-from-a-library-that-people-use-as-a-dependency [guava-deps]: https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies FWIW the packages update cleanly. $ urpmq --whatrequires guava auto-common auto-service auto-value clojure-maven-plugin google-guice guava guava-testlib protobuf-java-util truth xmvn-minimal There is a package /usr/share/java/google-guice-no_aop.jar. guava-testlib has something to do with unit testing, strictly for developers. Installed xmvn-minimal which turns out to be developer territory concerning maven and openjdk17. Leaving this on hold in case anybody else wants to have a look at it. CC:
(none) =>
tarazed25 This is useful: https://github.com/google/guava/wiki/PhilosophyExplained That makes it clear that this is for developers so not really testable by QA so it should be sent on. Whiteboard:
(none) =>
MGA9-64-OK
katnatek
2024-04-30 19:09:29 CEST
CC:
(none) =>
andrewsfarm
katnatek
2024-04-30 19:13:06 CEST
Keywords:
(none) =>
advisory Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0159.html Resolution:
(none) =>
FIXED |