CVEs have been assigned for a few security issues in exiv2: http://openwall.com/lists/oss-security/2017/11/23/2 It appears that fixes for these issues and perhaps some others should be forthcoming as a new developer has taken over upstream.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => pterjanCC: (none) => marja11
No fixes yet, so we won't be able to fix this for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Status comment: (none) => Not fixed upstream as of end of 2017
FWIW, I have found patches for CVE-2017-1000126 and CVE-2017-1000128. I finally found (been watching this awhile now) where they mentioned CVE-2017-1000127 has been fixed but they did not link any specific patch for the fix. In addition, there are fixes for CVE-2017-14865 and CVE-2017-18005 which I don't think we've picked up plus a single patch which is said to fix CVE-2017-[9953,14858,14861,14863,14866]. The problem is that most of the patches are against their master instead of the 0.26 branch and do not apply to .26. I can force at least some of these to apply but I have no confidence they will work right afterward given some of the changes. AFAICS this might need to wait for 0.27 which they are working to release.
CC: (none) => mrambo
See also Bug 22801 and Bug 22871, whose issues might affect this.
Fedora has issued an advisory on May 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TSFVKTLL2TM4AYXVBIQOLXGBD7WXAQU/ It fixes a few more CVEs in exiv2.
Summary: exiv2 new security issues CVE-2017-100012[6-8] => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772
Ubuntu has issued an advisory today (July 3): https://usn.ubuntu.com/3700-1/ It fixes several additional issues.
Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772 => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45]
Fedora has issued an advisory on August 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HH6QKTBXFX67VYRDSC4O4U34V237UUKC/ It fixes a few more CVEs in exiv2.
Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45] => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144
openSUSE has issued an advisory for two of these issues today (October 23): https://lists.opensuse.org/opensuse-updates/2018-10/msg00129.html
SUSE has issued an advisory on November 23: http://lists.suse.com/pipermail/sle-security-updates/2018-November/004884.html
Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144 => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144
I believe these fixes are included upstream in 0.27, which is now in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Ubuntu has issued an advisory for some of these issues and some new ones on January 10: https://usn.ubuntu.com/3852-1/
Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144 => exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336,17581}
Ubuntu has issued an advisory on July 15: https://usn.ubuntu.com/4056-1/ Ran out of room in the bug subject. Adding: CVE-2018-1910[78], CVE-2018-19535, CVE-2019-1311[0234]
Depends on: (none) => 25280
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package. CC'ing one more submitter.
CC: (none) => geiger.david68210Assignee: pterjan => pkg-bugs
RedHat has issued an advisory on August 6: https://access.redhat.com/errata/RHSA-2019:2101 Also adding CVE-2017-17724, CVE-2018-9305, CVE-2018-10772, CVE-2018-11037, CVE-2018-17282, CVE-2018-17581, CVE-2018-18915, CVE-2018-19607, CVE-2018-2009[6-9].
Summary: exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336,17581} => ,17581} exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[3-5], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336
Mageia 6 is EOL.
Resolution: (none) => OLDStatus: NEW => RESOLVED