Fedora has issued an advisory today (August 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSNHXXCHORHUAQRWKA55MLDULQGRD7QD/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
QA Contact: (none) => securityComponent: RPM Packages => Security
Depends on: (none) => 21663
Two more security issues have been announced on October 21: http://openwall.com/lists/oss-security/2017/10/21/5
Summary: glibc new security issue CVE-2017-12132 => glibc new security issue CVE-2017-12132 and CVE-2017-1567[01]
Yep, saw them on glibc devel ml today... will fix them up in a day or so
(In reply to David Walser from comment #1) > Two more security issues have been announced on October 21: > http://openwall.com/lists/oss-security/2017/10/21/5 Fedora has issued an advisory for this on October 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QGYTYJ24DSU5PZANSP74WZLR7KWQPZMG/
Cauldron is fixed, mga5 will probably not be fixed as its close to EOL... so it wont block this update... if I re-consider it will be done as a separate bugreport Fixing CVE-2017-1213[23], CVE-2017-1567[01], CVE-2017-15804, all in one go.. libtirpc is affected by CVE-2017-12133, so its part of this update SRPMS: glibc-2.22-26.mga6.src.rpm libtirpc-1.0.1-5.1.mga6.src.rpm i586: glibc-2.22-26.mga6.i586.rpm glibc-devel-2.22-26.mga6.i586.rpm glibc-doc-2.22-26.mga6.noarch.rpm glibc-i18ndata-2.22-26.mga6.i586.rpm glibc-profile-2.22-26.mga6.i586.rpm glibc-static-devel-2.22-26.mga6.i586.rpm glibc-utils-2.22-26.mga6.i586.rpm nscd-2.22-26.mga6.i586.rpm libtirpc-1.0.1-5.1.mga6.i586.rpm libtirpc3-1.0.1-5.1.mga6.i586.rpm libtirpc-devel-1.0.1-5.1.mga6.i586.rpm x86_64: glibc-2.22-26.mga6.x86_64.rpm glibc-devel-2.22-26.mga6.x86_64.rpm glibc-doc-2.22-26.mga6.noarch.rpm glibc-i18ndata-2.22-26.mga6.x86_64.rpm glibc-profile-2.22-26.mga6.x86_64.rpm glibc-static-devel-2.22-26.mga6.x86_64.rpm glibc-utils-2.22-26.mga6.x86_64.rpm nscd-2.22-26.mga6.x86_64.rpm lib64tirpc3-1.0.1-5.1.mga6.x86_64.rpm lib64tirpc-devel-1.0.1-5.1.mga6.x86_64.rpm libtirpc-1.0.1-5.1.mga6.x86_64.rpm
Whiteboard: MGA6TOO, MGA5TOO => (none)Version: Cauldron => 6
*** Bug 21663 has been marked as a duplicate of this bug. ***
I would really like to see important ones like these fixed for Mageia 5. It wasn't close to the EOL when I reported them, we just haven't had time to get around to fixing things this year. This isn't some obscure packages.
Yeah, it only depend on how much work it is to backport the fixes to mga5, because I dont want to introduce a regression in a distro about to hit eol either... so we''ll see, but I will still keep it separate from this bug so mga6 can be validated asap too
Seems I forgot to assign this to QA
Assignee: tmb => qa-bugs
*** Bug 22242 has been marked as a duplicate of this bug. ***
x86_64 builds running here on several systems since 2017-12-16
CC: (none) => tmb
Tested while testing the kernel updates. Validating the update
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OK MGA6-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Please dont blindly copy fedora advisories... I already stated on last night QA meeting that I would fix up the missing advisories for my packages... I've fixed up the advisory with stuff that actually affects our update The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132, CVE-2017-12133). The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow (CVE-2017-15670). The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak) (CVE-2017-15671). The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804). As libtirpc is also affected by CVE-2017-12133, it's part of this update.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0464.html
Status: NEW => RESOLVEDResolution: (none) => FIXED