Debian has issued an advisory on October 29: https://www.debian.org/security/2017/dsa-4009 openSUSE has issued an advisory for this today (November 15): https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html Somehow I missed this before (I probably thought we didn't have this package). Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Thanks guys for the assignment :) I am ok to have a look, but the official maintainer is ovitters! I am pushing an update on Cauldron, because the current version is old and not building anymore. But for mga6, it would be better if Olav could have a look, I don't want to break too much stuff! Let me know, Cheers.
CC: (none) => olav
It seems that this is an orphan package on mga6: urpmq --whatrequires shadowsocks-libev shadowsocks-libev urpmq --whatrequires lib64shadowsocks1 lib64shadowsocks-devel lib64shadowsocks1 Easiest way would be for me to push for mga6 the same version as the one I have pushed on Cauldron 3.0.1 + CVE patch, anyone seeing a problem? Cheers.
This is purely some leaf software to avoid restrictions on crappy networks. E.g. avoiding China firewall and so on. There's an app on Android that goes with it/ Please push same version!
Ok done, this is in update testing for mga6. An advisory follows. I have no idea how to test this package, so at least make sure that it installs correctly without any scriplet failing and without conflict with existing packages! Advisory: ======================== Updated shadowsocks-libev packages to fix security vulnerability (CVE-2017-15924). An improper parsing could allow command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic. References ================== https://www.debian.org/security/2017/dsa-4009 https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html https://security-tracker.debian.org/tracker/CVE-2017-15924 Updated packages in core/updates_testing: ======================== lib64shadowsocks2-3.1.0-1.mga6 lib64shadowsocks-devel-3.1.0-1.mga6 shadowsocks-libev-3.1.0-1.mga6 from SRPMS: shadowsocks-libev-3.1.0-1.mga6
Assignee: eatdirt => qa-bugsCC: (none) => eatdirt
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Confirmed update installs cleanly on both arches. Advisory committed to svn. Validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA6-64-OK MGA6-32-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0436.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED