KDE has issued an advisory today (October 2): https://kde.org/info/security/advisory-20201002-1.txt The issue is fixed upstream in 20.08.2. Upstream commits are linked from the advisory above. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Lots of more details have been posted about this: https://www.openwall.com/lists/oss-security/2020/10/13/4
openSUSE has issued an advisory for this on October 7: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00014.html
Fixed for Cauldron with kdeconnect-kde-20.08.2-1.mga8
CC: (none) => geiger.david68210Version: Cauldron => 7
Done for mga7!
Advisory: ======================== Updated kdeconnect-kde packages fix security vulnerability: An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network (CVE-2020-26164). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26164 https://www.openwall.com/lists/oss-security/2020/10/13/4 https://kde.org/info/security/advisory-20201002-1.txt ======================== Updated packages in core/updates_testing: ======================== kdeconnect-kde-1.3.4-2.1.mga7 kdeconnect-kde-handbook-1.3.4-2.1.mga7 kdeconnect-kde-nautilus-1.3.4-2.1.mga7 libkdeconnectcore1-1.3.4-2.1.mga7 libkdeconnectinterfaces1-1.3.4-2.1.mga7 libkdeconnectpluginkcm1-1.3.4-2.1.mga7 from kdeconnect-kde-1.3.4-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: kde => qa-bugs
Installed and tested without issues. Tested on a Plasma DE and LXQt DE. Connected to an Android phone and an Android tablet, using WiFi with an without WireGuard VPN. Tested most features, including sending and receiving files, controlling media player, controlling mouse, executing command, sending and receiving notification. No issues found. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep kdeconnect | sort kdeconnect-kde-1.3.4-2.1.mga7 kdeconnect-kde-handbook-1.3.4-2.1.mga7 lib64kdeconnectcore1-1.3.4-2.1.mga7 lib64kdeconnectinterfaces1-1.3.4-2.1.mga7 lib64kdeconnectpluginkcm1-1.3.4-2.1.mga7
CC: (none) => mageia
Sounds good enough to me. Giving it an OK and validating. Advisory in Comment 5.
Whiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0416.html
Status: NEW => RESOLVEDResolution: (none) => FIXED