Upstream has issued an advisory on February 28:
More info available here:
Mageia 5 is also affected.
I added BR on libbsd-devel for cauldron:
pushed in updates_testing for mageia 5
Updated libice packages fix security vulnerability:
libICE depends on arc4random() to generate the session cookies, thereby using a
weak mechanism to generate entropy (CVE-2017-2626).
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Loads of progs have a dependency on libice6. Traced a simple case: open some txt file with pluma.
Found call to libICE.so.6 in the trace, so OK for me.
Aout to do the advisory, I noticed that the CVE-ID is not consistent. Neither 2625 nor 2626 go anywhere, both are RESERVED.
Ah.The reference includes (among others) both, but libICE is equated to 2626.
All that for the record. Advisory done with 2626.
And because this is M5 only, validating also.
An update for this issue has been pushed to the Mageia Updates repository.
Lewis, there are no inconsistencies, as I consistently used 2626 here, which is the correct CVE for libice. Note that most CVEs say RESERVED because no description has been posted, but it also means that it *has* been assigned for something.
Ahh nevermind, I see it.
*** Bug 25731 has been marked as a duplicate of this bug. ***