SUSE has issued an advisory on August 3: https://lists.suse.com/pipermail/sle-security-updates/2020-August/007211.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOSee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27041
Fedora has issued an advisory for this on July 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/ The issue is fixed upstream in 2.1.73.
Status comment: (none) => Fixed upstream in 2.1.73
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated python-rtslib packages fix security vulnerability: Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used and thus permissions are not preserved upon editing. An adversary with prior access to /etc/target/saveconfig.json could access a later version, resulting in a loss of integrity depending on their permission settings (CVE-2020-14019). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14019 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/ ======================== Updated packages in core/updates_testing: ======================== python-rtslib-2.1.73-1.mga7 python-rtslib-doc-2.1.73-1.mga7 python3-rtslib-2.1.73-1.mga7 from python-rtslib-2.1.73-1.mga7.src.rpm
Assignee: lists.jjorge => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 2.1.73 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous updates, so try.... # urpmq --whatrequires-recursive python-rtslib python-rtslib python-rtslib-doc targetcli Insstalled targetcli and then: # strace -o pthrtslib.txt targetcli In targetcli I tried: /> help GENERALITIES ============ This is a shell in which you can create, delete and configure configuration objects. and a lot more /> pwd / /> ls o- / ......................................................................................................................... [...] o- backstores .............................................................................................................. [...] | o- block .................................................................................................. [Storage Objects: 0] | o- fileio ................................................................................................. [Storage Objects: 0] | o- pscsi .................................................................................................. [Storage Objects: 0] | o- ramdisk ................................................................................................ [Storage Objects: 0] o- iscsi ............................................................................................................ [Targets: 0] o- loopback ......................................................................................................... [Targets: 0] o- vhost ............................................................................................................ [Targets: 0] o- xen-pvscsi ....................................................................................................... [Targets: 0] /> status Status for /: /> version targetcli version 2.1.fb49 /> sessions (no open sessions) /> exit Global pref auto_save_on_exit=true Configuration saved to /etc/target/saveconfig.json Then checked the trace and found a.o. stat("/usr/lib/python2.7/site-packages/targetcli/rtslib_fb", 0x7ffc4bc33aa0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.so", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fbmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.py", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) So, it looks it did something usefull.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0336.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED