A CVE has been assigned for a DoS security issue fixed in upstream git: http://www.openwall.com/lists/oss-security/2016/09/08/7 The commit to fix the issue is linked in the message above. I'm not sure if Mageia 5 is affected.
Assigning to maintainer. However, CC'ing all packagers collectively, because the registered maintainer is, unfortunately, mostly MIA. @ Matteo If real life allows you to fix the issue, then please set the Status of this report to ASSIGNED, so that no one else will start working on it :-) Kind regards, Marja
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => matteo.pasotti
Fixed for mga5 and freeze_push requested for Cauldron.
CC: (none) => geiger.david68210
Thanks David! Waiting for freeze push before assigning to QA. Advisory: ======================== Applications using libtorrent-rasterbar are vulnerable to denial of service. An attacker-controlled torrent tracker can crash victim torrent clients by sending malformed GZIP responses (CVE-2016-7164). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7164 http://www.openwall.com/lists/oss-security/2016/09/08/7 ======================== Updated packages in core/updates_testing: ======================== libtorrent-rasterbar7-0.16.18-1.3.mga5 python-libtorrent-rasterbar-0.16.18-1.3.mga5 libtorrent-rasterbar-devel-0.16.18-1.3.mga5 from libtorrent-rasterbar-0.16.18-1.3.mga5.src.rpm
libtorrent-rasterbar-1.0.10-1.mga6 uploaded for Cauldron. Assigning to QA. This is used by qbittorrent, deluge, and miro. Advisory and package list in Comment 3.
Version: Cauldron => 5Assignee: matteo.pasotti => qa-bugsWhiteboard: (none) => has_procedure
MGA5-32 on Acer D620 Xfce No installation issues. Opened deluge with CLI "strace -o deluge.txt deluge" and found a reference to libtorrent-rasterbar
CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/700649/
Created attachment 8447 [details] File to launch a BitTorrent download This attachment can be used to launch a BitTorrent download of a Mageia 5 Gnome DVD. Right-click the file, and the context menu offers (if you have them): - open with Deluge - open with qBitTorrent which is a handy way to launch these clients to do something. You have to 'add' the selected file, then off it goes. You may need to select the torrent to see its info and control it. You can pause then remove the torrent and its associated data.
CC: (none) => lewyssmith
Recap of the component relationships:- lib64torrent-rasterbar7 |_qbittorrent[-nox] Client program[s] |_python-libtorrent-rasterbar |_deluge Client program |_miro Client program Testing MGA5 x64. BEFORE update: lib64torrent-rasterbar7-0.16.18-1.2.mga5 python-libtorrent-rasterbar-0.16.18-1.2.mga5 Confirmed with the test file Comment 6 that these basically worked. AFTER update: lib64torrent-rasterbar7-0.16.18-1.3.mga5 python-libtorrent-rasterbar-0.16.18-1.3.mga5 Launched both qbittorrent and deluge from the test file context menu; they seemed to work OK. Validating this update.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Please add 19313.adv
CC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0320.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Nicolas Lécureuil from comment #8) > Please add 19313.adv I would have done this, along with other advisories awaiting; but thanks.
i was on it so i did it :) it was quick as QA team already added all the infos on the bugreport.