SUSE has issued an advisory today (October 15): http://lists.suse.com/pipermail/sle-security-updates/2018-October/004670.html Cauldron's version most likely already contains the fixes, linked from: https://bugzilla.suse.com/show_bug.cgi?id=1106517 https://bugzilla.suse.com/show_bug.cgi?id=1106519
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11, smelror, tmb
Both of the Suse patches linked above have already been applied to the Mageia 6 version of libtirpc. I did not specifically check cauldron but would expect David to be correct that they were also applied there.
CC: (none) => mramboResolution: (none) => FIXEDStatus: NEW => RESOLVED
Mike, which patches are they and for which update (which bug) were they applied? We should leave a note on the bug/update that fixed them that that update also fixed these CVEs.
The patches suse linked to are here. http://git.linux-nfs.org/?p=steved/libtirpc.git;a=patch;h=fce98161d9815ea016855d9f00274276452c2c4b http://git.linux-nfs.org/?p=steved/libtirpc.git;a=patch;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 I already deleted the libtirpc I had worked on but I just did a fresh checkout to confirm that the patches are already applied and they are. Looking at the history on svnweb I don't see where they might have been applied but they certainly are there. Is it explained by suse having patched 0.2.1 and our package being 1.0.1? From the first link above... Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtirpc-devel-0.2.1-1.13.6.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtirpc1-0.2.1-1.13.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtirpc-debuginfo-0.2.1-1.13.6.1 libtirpc-debugsource-0.2.1-1.13.6.1
Ahh so they were already applied upstream before Mageia 6. Thanks.
Resolution: FIXED => INVALID