Bug 23661 - hylafax+ new security issue CVE-2018-17141
Summary: hylafax+ new security issue CVE-2018-17141
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-09 23:51 CEST by David Walser
Modified: 2018-10-10 16:28 CEST (History)
4 users (show)

See Also:
Source RPM: hylafax+-5.5.8-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-09 23:51:18 CEST
A security issue fixed upstream in Hylafax+ has been announced:
https://www.openwall.com/lists/oss-security/2018/09/20/1

The issue was fixed upstream in 5.6.1.

Debian has issued an advisory for this on September 20:
https://www.debian.org/security/2018/dsa-4298
David Walser 2018-10-09 23:51:35 CEST

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2018-10-10 02:20:16 CEST
Done for mga6!
Comment 2 Marja Van Waes 2018-10-10 06:16:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => cjw, marja11, smelror

Comment 3 Marja Van Waes 2018-10-10 06:50:03 CEST
(In reply to David GEIGER from comment #1)
> Done for mga6!

Thanks, David, and sorry for having missed that (It's still early)

Assigning to you then, because there's no adivisory etc. yet.

Assignee: pkg-bugs => geiger.david68210

Comment 4 David Walser 2018-10-10 16:28:10 CEST
Advisory:
========================

Updated hylafax+ packages fixes security vulnerability:

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input
sanitising in the Hylafax fax software could potentially result in the
execution of arbitrary code via a malformed fax message (CVE-2018-17141).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17141
https://www.debian.org/security/2018/dsa-4298
========================

Updated packages in core/updates_testing:
========================
hylafax+-5.6.1-1.mga6
hylafax+-client-5.6.1-1.mga6
libhylafax+5-5.6.1-1.mga6
libhylafax+-devel-5.6.1-1.mga6

from hylafax+-5.6.1-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.