Bug 19553 - libgit2 new security issues CVE-2016-856[89]]
Summary: libgit2 new security issues CVE-2016-856[89]]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/703984/
Whiteboard:
Keywords:
Depends on: 19792
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-08 20:45 CEST by David Walser
Modified: 2017-08-29 22:40 CEST (History)
2 users (show)

See Also:
Source RPM: libgit2-0.24.1-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-10-08 20:45:30 CEST
CVE has been assigned for two security issues in libgit2:
http://openwall.com/lists/oss-security/2016/10/08/7

Fixes are being prepared upstream.

Mageia 5 is probably also affected.
David Walser 2016-10-08 20:45:43 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-10-19 22:06:03 CEST
Fedora has issued an advisory for this on October 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/

URL: (none) => http://lwn.net/Vulnerabilities/703984/

Comment 2 David Walser 2017-01-10 15:32:27 CET
CVEs have been requested for two more security issues in libgit2:
http://openwall.com/lists/oss-security/2017/01/10/5

The commits to fix them are linked in the message above and they are fixed in 0.24.6.

CC: (none) => jani.valimaa

Comment 3 David Walser 2017-01-10 22:19:28 CET
libgit2-0.24.6-1.mga6 uploaded for Cauldron by Jani, fixing these.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-01-11 11:51:18 CET
CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned:
http://openwall.com/lists/oss-security/2017/01/11/6

Summary: libgit2 new security issues CVE-2016-8568 and CVE-2016-8569 => libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89]

Comment 5 David Walser 2017-01-15 00:09:03 CET
(In reply to David Walser from comment #4)
> CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] assigned:
> http://openwall.com/lists/oss-security/2017/01/11/6

Fedora has issued an advisory for this on January 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7EO3ZLOT4QLXSD2D24FUGV4DDLIMI5ZK/

LWN reference:
https://lwn.net/Vulnerabilities/711586/
Nicolas Lécureuil 2017-08-11 15:07:59 CEST

CC: (none) => mageia
Summary: libgit2 new security issues CVE-2016-856[89], CVE-2016-1012[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89]

Nicolas Lécureuil 2017-08-11 15:08:21 CEST

Summary: libgit2 new security issues CVE-2016-856[89], CVE-2016-10130, and CVE-2017-533[89] => libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]]

Nicolas Lécureuil 2017-08-11 15:08:37 CEST

Summary: libgit2 new security issues CVE-2016-856[89], CVE-2017-533[89]] => libgit2 new security issues CVE-2016-856[89]]

Comment 6 Nicolas Lécureuil 2017-08-11 15:22:54 CEST
CVE-2016-8568 and CVE-2016-8569 are now fixed on svn

src.rpm:
         libgit2-0.21.1-3.2.mga5

Assignee: thierry.vignaud => qa-bugs

Comment 7 David Walser 2017-08-11 15:49:35 CEST
Thanks.  We can't assign two bugs to QA for the same package though.

Assignee: qa-bugs => thierry.vignaud
Depends on: (none) => 19792

Comment 8 Nicolas Lécureuil 2017-08-11 15:57:13 CEST
can't we push/test all in once ?
Comment 9 David Walser 2017-08-12 02:13:00 CEST
(In reply to Nicolas Lécureuil from comment #8)
> can't we push/test all in once ?

Yeah, we just have to link the bugs and assign only one of them to QA (the one that blocks the other).  I made this one depend on the other and we'll have QA test it in Bug 19792.
Comment 10 David Walser 2017-08-29 22:40:22 CEST
Fixed in:
http://advisories.mageia.org/MGASA-2017-0319.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.