openSUSE has issued an advisory today (November 10): https://lists.opensuse.org/opensuse-updates/2017-11/msg00030.html The issue is fixed upstream in 4.5. The SUSE bug contains a link to the upstream commit that fixed the issue: https://bugzilla.suse.com/show_bug.cgi?id=1052261 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => marja11Assignee: bugsquad => basesystem
Patched package uploaded for cauldron, Mageia 6, and Mageia 5. Advisory: ======================== Updated shadow-utils package fixes security vulnerability: It was found that shadow-utils had a buffer overflow where if a buffer was left NULL for a cycle the next cycle would happily write past the entries buffer (CVE-2017-12424). References: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 https://lists.opensuse.org/opensuse-updates/2017-11/msg00030.html ======================== Updated packages in core/updates_testing: ======================== shadow-utils-4.2.1-6.1.mga5 from shadow-utils-4.2.1-6.1.mga5.src.rpm shadow-utils-4.4-1.1.mga6 from shadow-utils-4.4-1.1.mga6.src.rpm Tested locally on cauldron, mga6/64, and mag5/32 before submitting to the build system. Test procedure: https://bugs.mageia.org/show_bug.cgi?id=18984#c19
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: basesystem => qa-bugsVersion: Cauldron => 6Keywords: (none) => has_procedureCC: (none) => mrambo
Just testing that the update installs cleanly and a few of the commands such as pwck still work. Validating the update
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0465.html
Status: NEW => RESOLVEDResolution: (none) => FIXED