A CVE has been assigned for a security issue in jansson: http://openwall.com/lists/oss-security/2016/05/02/1 It's not clear whether the version in Mageia 5 is affected. A pull request has been submitted upstream with a potential fix.
Debian has issued an advisory for this on May 14: https://www.debian.org/security/2016/dsa-3577
URL: (none) => http://lwn.net/Vulnerabilities/687590/
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated jansson packages fix security vulnerability: Gustavo Grieco discovered that jansson did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data (CVE-2016-4425). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4425 https://www.debian.org/security/2016/dsa-3577 ======================== Updated packages in core/updates_testing: ======================== jansson-2.4-4.1.mga5 jansson-devel-2.4-4.1.mga5 from jansson-2.4-4.1.mga5.src.rpm
Version: Cauldron => 5Assignee: mageia => qa-bugs
PoC: from debian link https://github.com/akheron/jansson/issues/282
Whiteboard: (none) => has_procedure
Testing mga5 64
Testing complete mga5 64 PoC requires jshon which we don't appear to provide. jansson package is just library & doc files, it should perhaps be libjansson instead. # urpmf jansson jansson:/usr/lib64/libjansson.so.4 jansson:/usr/lib64/libjansson.so.4.4.0 jansson:/usr/share/doc/jansson jansson:/usr/share/doc/jansson/CHANGES jansson:/usr/share/doc/jansson/LICENSE Testing AFAIC using suricata # urpmq --whatrequires jansson jansson jansson-devel jansson-devel libteam-tools suricata Suricata fails without SSE3 (build time option) https://github.com/security-onion-solutions/security-onion/issues/26 It's a bit of an unfriendly beast, missing all sorts of config files from the source and needing extra configuration but taking comfort from the fact the errors remain constant before & after updating jansson. I think enough to ensure this updates cleanly and suricata issues unchanged.
Whiteboard: has_procedure => has_procedure mga5-64-ok
Indeed, I thought this wasn't properly libified when I wrote the advisory. Guillaume, would you mind libifying this package in Cauldron?
CC: (none) => guillomovitch, mageia
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0198.html
Status: NEW => RESOLVEDResolution: (none) => FIXED