libksba 1.3.4 fixes a couple of security issues and a bug. From the NEWS file: Noteworthy changes in version 1.3.4 (2016-05-03) [C19/A11/R4] ------------------------------------------------ * Fixed two OOB read access bugs which could be used to force a DoS. * Fixed a crash due to faulty curve OID lookup code. * Synced the list of supported curves with those of Libgcrypt. * New configure option --enable-build-timestamp; a build timestamp is not anymore used by default. The two OOB read access have been assigned CVEs: http://openwall.com/lists/oss-security/2016/05/10/4 http://openwall.com/lists/oss-security/2016/05/11/10 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libksba packages fix security vulnerabilities: An out-of-bounds read access in _ksba_dn_to_str() in libksba 1.3.3, due to an incomplete fix for CVE-2016-4356, could result in denial of service (CVE-2016-4574). In liksba 1.3.3, the returned length of the object from _ksba_ber_parse_tl() (ti.length) was not always checked against the actual buffer length, thus leading to a read access after the end of the buffer, which could result in denial of service (CVE-2016-4579). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4579 http://openwall.com/lists/oss-security/2016/05/10/4 http://openwall.com/lists/oss-security/2016/05/11/10 ======================== Updated packages in core/updates_testing: ======================== libksba8-1.3.4-1.mga5 libksba-devel-1.3.4-1.mga5 from libksba-1.3.4-1.mga5.src.rpm
Testing information for this package is in a previous update, Bug 14663. (Test using gpg2).
Whiteboard: (none) => has_procedure
Follow: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 replacing gpg with gpg2 commands.
Testing complete mga5 64 Used first half of the procedure, up to recreating the file.
Whiteboard: has_procedure => has_procedure mga5-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/687395/
Tested using the same part of the procedure as Claire, Mageia 5 i586.
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok
LWN reference for CVE-2016-4579: http://lwn.net/Vulnerabilities/687714/
Fedora has issued an advisory for this on May 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RMTIMWWDRTHPLGRGF4GHZ3AHGJ5PX2CX/
Severity: normal => major
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure advisory mga5-32-ok mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0181.html
Status: NEW => RESOLVEDResolution: (none) => FIXED