Upstream has announced a security issue on January 24: http://openwall.com/lists/oss-security/2015/01/24/6 The issue will be fixed in 2.0.0-b8, which has not been released yet. A CVE identifier has also not been made available yet. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CVE-2015-1379 has been issued: http://openwall.com/lists/oss-security/2015/01/27/19
Summary: socat new security issue (possible DoS) => socat new security issue CVE-2015-1379
Upstream has finally issued an update for 2.0.0-b8: http://openwall.com/lists/oss-security/2015/04/06/4 Update committed in SVN for Mageia 4 and Cauldron. Freeze push requested.
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated socat package fixes security vulnerability: In socat before 2.0.0-b8, signal handler implementations are not async-signal-safe and can cause crash or freeze of socat processes. Mostly this issue occurs when socat is in listening mode with fork option and a couple of child processes terminate at the same time (CVE-2015-1379). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1379 http://openwall.com/lists/oss-security/2015/04/06/4 ======================== Updated packages in core/updates_testing: ======================== socat-2.0.0-0.b8.1.mga4 from socat-2.0.0-0.b8.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=5986#c4 Works fine for me on Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0144.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/640415/