22906 – nghttp2 new security issue CVE-2018-1000168

Bug 22906 - nghttp2 new security issue CVE-2018-1000168

Summary: nghttp2 new security issue CVE-2018-1000168

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-14 03:37 CEST by David Walser
Modified:	2018-04-19 13:31 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	nghttp2-1.25.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-04-14 03:37:52 CEST

An advisory has been issued today (April 13):
http://openwall.com/lists/oss-security/2018/04/12/4

The issue was fixed upstream in 1.31.1.

Mageia 6 is not affected.

Comment 1 Marja Van Waes 2018-04-14 07:10:23 CEST

Assigning to all packagers collectively, since the registered maintainer for this package seems still unavailable.

CC'ing the maintainer and the last two pushers of the package.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, pterjan

Marja Van Waes 2018-04-14 08:32:19 CEST

CC: (none) => oe

Comment 2 Stig-Ørjan Smelror 2018-04-18 19:52:49 CEST

nghttp2 1.31.1 has been pushed to Cauldron.

Had to disable the tests as they kept failing in iurt, but always ran successfully when build locally.

Cheers,
Stig

CC: (none) => smelror

Comment 3 David Walser 2018-04-19 13:31:51 CEST

Fixed in nghttp2-1.31.1-1.mga7.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.