A security issue fixed upstream in oniguruma has been announced on September 30: https://www.openwall.com/lists/oss-security/2020/09/30/7 The commit that fixed the issue is linked in the message above. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on October 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/
Severity: normal => major
Debian-LTS has issued an advisory for this today (November 5): https://www.debian.org/lts/security/2020/dla-2431
Done for both Cauldron and mga7!
Advisory: ======================== Updated oniguruma packages fix security vulnerability: In Oniguruma, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c (CVE-2020-26159). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26159 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/ ======================== Updated packages in core/updates_testing: ======================== libonig5-6.9.4-1.1.mga7 liboniguruma-devel-6.9.4-1.1.mga7 from oniguruma-6.9.4-1.1.mga7.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: geiger.david68210 => qa-bugs
Installed the update and looked at previous bugs 25843 and 24338, that is stuff out of my league. Cann't say no more than that it does not harm my system.
CC: (none) => herman.viaene
Too long in QA. (In reply to Herman Viaene from comment #5) > Installed the update and looked at previous bugs 25843 and 24338, that is > stuff out of my league. > Cann't say no more than that it does not harm my system. @Len, what about this? As Herman, this is not my cup of tea...
CC: (none) => ouaurelien, tarazed25Source RPM: oniguruma-6.9.5r1-1.mga8.src.rpm => oniguruma-6.9.4-1.mga7.src.rpm
@Aurelien, comment 6. Not mine either. The only contact I have had is in testing the PoC in a previous version. Those tests worked fine but give no clue as to how the application runs or how it works and I am in no position right now to attempt a follow-up so the package should perhaps be let go on the basis of a clean install - sticks in one's throat but what can you do?
Whiteboard: (none) => MGA7-64-OK
Validating Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0452.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED