Advisory: ============ A flaw in cxxtools version 2.2 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters (CVE-2013-7298). This update fixes the vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7298 ============ Updated packages in mga4 core/updates_testing. mga3 is not affected. Source packages: cxxtools-2.2-2.1.mga4 Binary packages: lib64cxxtools9-2.2-2.1.mga4 lib64cxxtools-devel-2.2-2.1.mga4
Will you fix this for Mageia 3 as well?
Whiteboard: (none) => feedback
From description: "mga3 is not affected."
Whiteboard: feedback => (none)
Oh sorry, I missed that. All of the outside references I looked at said versions before 2.2.1 were affected. Where did you determine that?
Summary: cxxtools CVE-2013-7298 (mga4) => cxxtools new security issue CVE-2013-7298
The code was very different pre-2.2, and Debian handler wasn't able to reproduce: http://comments.gmane.org/gmane.linux.debian.devel.secure-testing.cvs/26659
Severity: normal => major
libcxxtools is used by tntnet (bug 12616) so both can be tested together
Whiteboard: (none) => has_procedure
Whiteboard: has_procedure => has_procedure MGA4-64-OK
Tested Mga4 32-bit with tntnet, nothing unexpected encountered. Update validated. See Description for advisory. SRPM: cxxtools-2.2-2.1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you.
Keywords: (none) => validated_updateCC: (none) => isolde, sysadmin-bugsWhiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Update pushed: http://advisories.mageia.org/MGASA-2014-0073.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory
URL: (none) => http://lwn.net/Vulnerabilities/583136/