Fedora has issued an advisory on June 6:
Mageia 5 is also affected.
libtirpc hasn't been fixed yet in Fedora, and the vulnerable code appears to be there in the get_reply: section of clnt_dg_call() in src/clnt_dg.c
Fedora added this patch in glibc:
They also added two bugfix patches in the same update.
glibc already fixed in cauldron since:
Name : glibc Relocations: (not relocatable)
Version : 2.22 Vendor: Mageia.Org
Release : 18.mga6 Build Date: Mon 30 May 2016 03:24:53 PM CEST
tmb <tmb> 6:2.22-18.mga6:
+ Revision: 1019403
- CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ#20112]
Thanks. Marking Cauldron for now as libtirpc has not yet been fixed.
libtirpc-1.0.1-4.mga6 uploaded for Cauldron with the fix.
Updated packages built this morning:
Assigning to QA, rpm list in comment 4
I have this glibc update already running on mageia infra and on several of my own live servers (x86_64 arch)
Will try to write advisory tomorrow
Running these packages fine with no issues on multiple Mageia 5 systems, both architectures.
Validating so this can ship with the kernel update.
advisory added to svn
MGA5-32-OK MGA5-64-OK =>
MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository.