CVE has been assigned for two security issues in libgit2: http://openwall.com/lists/oss-security/2016/10/08/7 Fixes are being prepared upstream. Mageia 5 is probably also affected.
Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory for this on October 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/
URL: (none) => http://lwn.net/Vulnerabilities/703984/
CVEs have been requested for two more security issues in libgit2: http://openwall.com/lists/oss-security/2017/01/10/5 The commits to fix them are linked in the message above and they are fixed in 0.24.6.
CC: (none) => jani.valimaa
libgit2-0.24.6-1.mga6 uploaded for Cauldron by Jani, fixing these.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned: http://openwall.com/lists/oss-security/2017/01/11/6
Summary: libgit2 new security issues CVE-2016-8568 and CVE-2016-8569 => libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89]
(In reply to David Walser from comment #4) > CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned: > http://openwall.com/lists/oss-security/2017/01/11/6 Fedora has issued an advisory for this on January 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7EO3ZLOT4QLXSD2D24FUGV4DDLIMI5ZK/ LWN reference: https://lwn.net/Vulnerabilities/711586/
CC: (none) => mageiaSummary: libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89]
Summary: libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]]
Summary: libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]] => libgit2 new security issues CVE-2016-856[89]]
CVE-2016-8568 and CVE-2016-8569 are now fixed on svn src.rpm: libgit2-0.21.1-3.2.mga5
Assignee: thierry.vignaud => qa-bugs
Thanks. We can't assign two bugs to QA for the same package though.
Assignee: qa-bugs => thierry.vignaudDepends on: (none) => 19792
can't we push/test all in once ?
(In reply to Nicolas Lécureuil from comment #8) > can't we push/test all in once ? Yeah, we just have to link the bugs and assign only one of them to QA (the one that blocks the other). I made this one depend on the other and we'll have QA test it in Bug 19792.
Fixed in: http://advisories.mageia.org/MGASA-2017-0319.html
Status: NEW => RESOLVEDResolution: (none) => FIXED