Upstream has issued an advisory on February 28: http://openwall.com/lists/oss-security/2017/02/28/3 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ More info available here: http://openwall.com/lists/oss-security/2017/03/01/1 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
I added BR on libbsd-devel for cauldron: http://svnweb.mageia.org/packages?view=revision&revision=1088368
Version: Cauldron => 5CC: (none) => mageiaCVE: (none) => CVE-2017-2626Whiteboard: MGA5TOO => (none)
pushed in updates_testing for mageia 5 src.rpm: libice-1.0.9-3.1.mga5
Assignee: thierry.vignaud => qa-bugs
Advisory: ======================== Updated libice packages fix security vulnerability: libICE depends on arc4random() to generate the session cookies, thereby using a weak mechanism to generate entropy (CVE-2017-2626). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ ======================== Updated packages in core/updates_testing: ======================== libice6-1.0.9-3.1.mga5 libice-devel-1.0.9-3.1.mga5 from libice-1.0.9-3.1.mga5.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues. Loads of progs have a dependency on libice6. Traced a simple case: open some txt file with pluma. Found call to libICE.so.6 in the trace, so OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
@David Aout to do the advisory, I noticed that the CVE-ID is not consistent. Neither 2625 nor 2626 go anywhere, both are RESERVED. Ah.The reference includes (among others) both, but libICE is equated to 2626. All that for the record. Advisory done with 2626. And because this is M5 only, validating also.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0307.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Lewis, there are no inconsistencies, as I consistently used 2626 here, which is the correct CVE for libice. Note that most CVEs say RESERVED because no description has been posted, but it also means that it *has* been assigned for something.
Ahh nevermind, I see it.
*** Bug 25731 has been marked as a duplicate of this bug. ***
CC: (none) => zombie.ryushu