Debian has issued an advisory on September 11: https://www.debian.org/security/2018/dsa-4291
Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing a committer.
CC: (none) => cjw, marja11
openSUSE has issued an advisory on September 28: https://lists.opensuse.org/opensuse-updates/2018-09/msg00176.html It fixes this, and 4 more, issues.
Summary: mgetty new security issue CVE-2018-16741 => mgetty new security issues CVE-2018-1674[1-5]
Done for Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated mgetty packages fix security vulnerability: The function do_activate() did not properly sanitize shell metacharacters to prevent command injection (CVE-2018-16741). Stack-based buffer overflow that could have been triggered via a command-line parameter (CVE-2018-16742). The command-line parameter username wsa passed unsanitized to strcpy(), which could have caused a stack-based buffer overflow (CVE-2018-16743). The mail_to parameter was not sanitized, leading to command injection if untrusted input reached reach it (CVE-2018-16744). The mail_to parameter was not sanitized, leading to a buffer overflow if long untrusted input reached it (CVE-2018-16745). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16744 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16745 https://lists.opensuse.org/opensuse-updates/2018-09/msg00176.html ======================== Updated packages in core/updates_testing: ======================== mgetty-1.1.37-1.1.mga6 mgetty-sendfax-1.1.37-1.1.mga6 mgetty-voice-1.1.37-1.1.mga6 mgetty-viewfax-1.1.37-1.1.mga6 mgetty-contrib-1.1.37-1.1.mga6 from mgetty-1.1.37-1.1.mga6.src.rpm
Version: Cauldron => 6Assignee: bugsquad => qa-bugsWhiteboard: MGA6TOO => (none)
In the absence of a fax machine there is probably little that can be done with this package. Installed the files and they updated cleanly. Found configuration files in /etc: $ ls mgetty+sendfax dialin.config faxrunq.config login.config sendfax.config faxheader faxspool.rules.sample mgetty.config voice.conf Giving this an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
I agree with Len. This has been waiting long enough. Validating, on the strength of a clean install and update.Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0402.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED