openSUSE has issued an advisory on October 21: https://lists.opensuse.org/opensuse-updates/2017-10/msg00070.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => pterjanCC: (none) => marja11
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21158
It looks like suse has a typo in one of their patch CVE numbers. The patch which claims to cover CVE-2017-1486[529] actually covers 1486[429]. There is a ticket on CVE-2017-14865 (and five others) still open upstream. But I found a more comprehensive patch set upstream anyway. https://github.com/Exiv2/exiv2/pull/120 backports fixes for 15 CVE's to 0.26 (CVE-2017-11337, CVE-2017-11338, CVE-2017-11339, CVE-2017-11340, CVE-2017-11553, CVE-2017-11591, CVE-2017-11592, CVE-2017-11683, CVE-2017-12955, CVE-2017-12956, CVE-2017-12957, CVE-2017-14859, CVE-2017-14860, CVE-2017-14862, CVE-2017-14864) and some research found that the same patch fixed CVE-2017-11336 and CVE-2017-14857 also. Patched package uploaded for cauldron. Mageia 6 will be forthcoming as will Mageia 5 if the patch applies.
CC: (none) => mramboAssignee: pterjan => mrambo
Depends on: (none) => 21158
https://bugs.mageia.org/show_bug.cgi?id=21158#c9 Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does). Can this bug be closed in consequence?
(In reply to Lewis Smith from comment #3) > https://bugs.mageia.org/show_bug.cgi?id=21158#c9 > Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does). > Can this bug be closed in consequence? Once the update for Bug 21158 is pushed.
Fixed in: https://advisories.mageia.org/MGASA-2017-0391.html
Status: NEW => RESOLVEDResolution: (none) => FIXED