distcc bundles minilzo, which is affected by the CVE-2014-4607 issue from the LZO library.
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.
Updated distcc packages fix security vulnerability:
An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).
The distcc package is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.
Updated packages in core/updates_testing:
Steps to Reproduce:
distcc is a tool to distribution a compilation over a network. So to test it one needs at least two machines connected to each other.
Some instructions on how to set it up: http://distcc.googlecode.com/svn/trunk/doc/web/index.html
The packages distcc and distcc-server are updating cleanly on both releases and both architectures.
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Well done Damyan. Don't forget to validate any which is ready.
Validating this one now. Advisory uploaded.
Could sysadmin please push to 3 & 4 updates
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK =>
MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC:
An update for this issue has been pushed to Mageia Updates repository.