Ubuntu has issued an advisory on October 29: https://usn.ubuntu.com/4168-1/ The issue is fixed upstream in 2.2.0.
Assigning to the registered maintainer!
Assignee: bugsquad => jani.valimaaCC: (none) => geiger.david68210
openSUSE has issued an advisory for this today (December 3): https://lists.opensuse.org/opensuse-updates/2019-12/msg00016.html 2.2.0 also fixed one other security issue.
Summary: libidn2 new security issue CVE-2019-12290 => libidn2 new security issues CVE-2019-12290 and CVE-2019-18224Status comment: (none) => Fixed upstream in 2.2.0
Fedora has issued an advisory for this on November 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U6ZXL2RDNQRAHCMKWPOMJFKYJ344X4HL/
Pushed libidn2-2.2.0-1.mga7 to core/updates_testing for mga7. Please test. RPMS: idn2-2.2.0-1.mga7 lib(64)idn2_0-2.2.0-1.mga7 lib(64)idn2-devel-2.2.0-1.mga7 libidn2-i18n-2.2.0-1.mga7
Assignee: jani.valimaa => qa-bugs
Maybe we should update to 2.3.0 like Fedora did to make sure we have all the fixes?
CC: (none) => jani.valimaa
Advisory: ======================== Updated libidn2 packages fix security vulnerabilities: It was discovered that Libidn2 incorrectly handled certain inputs. A attacker could possibly use this issue to impersonate domains (CVE-2019-12290). It was discovered that Libidn2 incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-18224). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224 https://usn.ubuntu.com/4168-1/
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous updates, so google comes te help: https://www.gnu.org/software/libidn/libidn2/manual/html_node/Invoking-idn2.html Honestly, I hardly understand what this is about, and I won't start a study on it, so just trying a few examples. $ idn2 --version idn2 (libidn2) 2.2.0 Copyright 2011-(C) 2019 Simon Josefsson, Tim Ruehsen. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Simon Josefsson, Tim Ruehsen. $ idn2 --help Gebruik: idn2 [OPTIE]... [TEKENREEKS]... Internationalized Domain Name (IDNA2008) convert STRINGS, or standard input. Command line interface to the Libidn2 implementation of IDNA2008. All strings are expected to be encoded in the locale charset. To process a string that starts with `-', for example `-foo', use `--' to signal the end of parameters, as in `idn2 --quiet -- -foo'. Mandatory arguments to long options are mandatory for short options too. -h, --help Print help and exit -V, --version Print version and exit -d, --decode Decode (punycode) domain name -l, --lookup Lookup domain name (default) -r, --register Register label -T, --tr46t Enable TR46 transitional processing -N, --tr46nt Enable TR46 non-transitional processing --no-tr46 Disable TR46 processing --usestd3asciirules Enable STD3 ASCII rules --no-alabelroundtrip Disable ALabel rountrip for lookups --debug Print debugging information --quiet Silent operation Report bugs to: help-libidn@gnu.org libidn2 home page: <https://www.gnu.org/software/libidn/#libidn2> General help using GNU software: <https://www.gnu.org/gethelp/> and from above site: $ idn2 --quiet räksmörgås.se (I input this) xn--rksmrgs-5wao1o.se (feedback) $ idn2 räksmörgås.se blåbærgrød.no xn--rksmrgs-5wao1o.se xn--blbrgrd-fxak7p.no This all looks OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0416.html
Status: NEW => RESOLVEDResolution: (none) => FIXED