CVEs have been assigned for security issues fixed upstream in libevent 2.1.6: http://openwall.com/lists/oss-security/2017/02/02/7 I'm not sure if 2.0.x is affected, but 2.1.x has finally been declared stable, so we could possibly update it.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Update to version 2.1.8 uploaded and freeze push requested. Note that the major has changed from 5 to 6 with the new version. I will update the affected packages as I can over the next day or so (unless package owners prefer to do it themselves). Affected packages: bitcoin-qt bitcoind ccnet ccnet-server coturn firefox firefox-beta flash-player-plugin freshplayerplugin gearmand iceape libccnet0 libevent-devel libevent5 libevhtp1 libmemcached libqt5webenginecore5 libunbound2 libverto-libevent memcached nfs-utils ocaml-event ocaml-event perl-Event-Lib php-event php-libevent seafile seafile-client seafile-server sslsplit telegram-cli thunderbird tmux tor transmission-cli transmission-daemon transmission-gtk3 transmission-qt5 unbound
CC: (none) => mrambo
Thanks to: http://www.linuxfromscratch.org/blfs/view/cvs/xsoft/firefox.html To fix the firefox build in Cauldron: sed -e s/_EVENT_SIZEOF/EVENT__SIZEOF/ \ -i ipc/chromium/src/base/message_pump_libevent.cc
Thank you David. I was planning on coming back around to that but I think you just saved me a lot of effort - if I could have figured it out at all. Of the list above the following are done. ccnet coturn firefox freshplayerplugin gearmand memcached ocaml-event php-event php-libevent sslsplit tor thunderbird is being worked by Nicolas flash-player-plugin also failed to build - looked like an extra file in the spec ff-beta looks like someone is in the middle of a version update (maybe) The rest are mostly owned by others. I will try to see if they want to handle the update themselves or not after having trouble with the last two above.
Debian has issued an advisory for this today (February 15): https://lists.debian.org/debian-security-announce/2017/msg00040.html The DSA will be posted here: https://www.debian.org/security/2017/dsa-3789 We can get patches for Mageia 5 from here: https://anonscm.debian.org/cgit/collab-maint/libevent.git/commit/?id=51863ce254fd2f428e22859dab0dd29ceab20920
URL: (none) => https://lwn.net/Vulnerabilities/714581/
The following have also been rebuilt for cauldron (by me or others) for the new libevent. firefox libevhtp1 libqt5webenginecore5 libverto seafile & client thunderbird flash-player-plugin - A build error was resolved and the update pushed this morning but this has since stopped working due to (it looks like) adobe claiming we are attempting to download an old file. Perhaps .221 having been released is the reason and we need to update from .186? These still remain. bitcoin firefox-beta iceape nfs-utils perl-Event-Lib telegram-cli tmux transmission-* unbound & libunbound2
All packages except firefox-beta and perl-Event-Lib have been rebuilt. I tried both of those. It looks like tv was in the middle of a version update that I inadvertently stomped on. I have emailed him to ask what he wants done. perl-Event-Lib does not build. When I asked for help figuring out why there was some question as to whether it was needed at all. I don't really know the answer to that.
Testing hints are in https://bugs.mageia.org/show_bug.cgi?id=14970#c4 Updated package uploaded for Mageia 5. Advisory: ======================== Updated libevent package fixes security vulnerabilities: * The DNS code of Libevent contains an OOB read which can trigger a crash (CVE-2016-10197) * The libevent evutil_parse_sockaddr_port() contains a buffer overflow which can cause a segmentation fault (CVE-2016-10196) * The name_parse() function in libevent's DNS code is vulnerable to a buffer overread (CVE-2016-10195) References: http://openwall.com/lists/oss-security/2017/02/02/7 http://www.openwall.com/lists/oss-security/2017/01/31/17 ======================== Updated packages in core/updates_testing: ======================== lib64event5-2.0.22-1.1.mga5 lib64event-devel-2.0.22-1.1.mga5 libevent-debuginfo-2.0.22-1.1.mga5 libevent-2.0.22-1.1.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: (none) => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
MGA5-32 on Asus A6000VM Xfce No installation isssues Run firefox, check with strace that libevent is called.
CC: (none) => herman.viaeneWhiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK
(In reply to Mike Rambo from comment #7) > All packages except firefox-beta and perl-Event-Lib have been rebuilt. > > I tried both of those. It looks like tv was in the middle of a version > update that I inadvertently stomped on. I have emailed him to ask what he > wants done. perl-Event-Lib does not build. When I asked for help figuring > out why there was some question as to whether it was needed at all. I don't > really know the answer to that. Want to note that perl-Event-Lib was updated to latest and a patch applied to fix building on cauldron. For QA, this note applies only to cauldron and does not have any impact on your testing of the libevent update on mga5.
Testing M5-64 real hardware: lib64event5-2.0.22-1.1.mga5 Following Herman, just running Firefox through its paces (including this report) under strace, which shows that libevent is being used: $ strace firefox 2>&1 | grep libevent open("/lib64/libevent.so.5", O_RDONLY|O_CLOEXEC) = 4 writev(4, [{"\22\0\16\0\302\5@\0046\1\0\0'\1\0\0\10\7\2\0\36\0\0\0libevent"..., 240}, {NULL, 0}, {"", 0}], 3) = 240 Everything works, OK. Validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0066.html
Status: NEW => RESOLVEDResolution: (none) => FIXED