SUSE has issued an advisory on July 11: https://lists.opensuse.org/opensuse-security-announce/2017-07/msg00013.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
oss-security post about this with patches and more details: http://openwall.com/lists/oss-security/2017/07/14/1
Debian has issued an advisory for this on July 11: https://www.debian.org/security/2017/dsa-3907
Patched package uploaded for Mageia 5 Updated (to 0.13.90) packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated spice packages fix security vulnerability: A vulnerability was discovered in spice, in the server's protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses leading to parts of server memory being leaked or a crash (CVE-2017-7506). The Mageia 5 package has been patched to fix this issue. The Mageia 6 package has been updated to version 0.13.90, containing fixes for this and several other issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506 https://cgit.freedesktop.org/spice/spice/tree/NEWS?id=34dff543bef7a5201f41c72353a65840bd37c275 https://bugzilla.redhat.com/show_bug.cgi?id=1452606 https://www.debian.org/security/2017/dsa-3907 https://lists.opensuse.org/opensuse-security-announce/2017-07/msg00013.html ======================== Updated packages in core/updates_testing: ======================== spice-client-0.12.5-2.5.mga5 libspice-server1-0.12.5-2.5.mga5 libspice-server-devel-0.12.5-2.5.mga5 spice-protocol-0.12.13-1.mga6 spice-client-0.13.90-1.mga6 libspice-server1-0.13.90-1.mga6 libspice-server-devel-0.13.90-1.mga6 from SRPMS: spice-0.12.5-2.5.mga5.src.rpm spice-protocol-0.12.13-1.mga6.src.rpm spice-0.13.90-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOSeverity: major => criticalVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
CC: (none) => bequimao.de
I have running qemu-kvm and virt-manager with both Mageia 6 x86_64 as host and client. Network interface is bridge, enp14s0:macvtap. The only package installed before was libspice-server1, and thus can be tested. Everything is fine, network, sound, mouse, klipboard working. Installed here Host: # rpm -qa | grep spice lib64spice-client-gtk-gir3.0-0.33-3.mga6 lib64spice-client-glib2.0_8-0.33-3.mga6 lib64spice-client-glib-gir2.0-0.33-3.mga6 lib64spice-client-gtk3.0_5-0.33-3.mga6 lib64spice-server1-0.13.90-1.mga6 spice-gtk-0.33-3.mga6 [root@localhost ~]# Client: # rpm -qa | grep spice spice-webdavd-2.2-1.mga6 spice-vdagent-0.17.0-2.mga6 [root@localhost ~]# Ulrich
Adding OK from Ulrichs testing
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
Testing complete mga5 64 Procedure: bug 16919 comment 2 Validating critical update
Keywords: (none) => validated_updateWhiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok mga5-64-okCC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO mga6-64-ok mga5-64-ok => advisory MGA5TOO mga6-64-ok mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0239.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED