SUSE has issued an advisory today (October 13): https://lists.suse.com/pipermail/sle-security-updates/2020-October/007540.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on October 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/
Hi, thanks for reporting this bug. Assigned to all package maintainer, as no registered one. CC'ed recent commiter. (Please set the status to 'assigned' if you are working on it)
CC: (none) => nicolas.salgueroKeywords: (none) => TriagedAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. (CVE-2020-26154) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154 https://lists.suse.com/pipermail/sle-security-updates/2020-October/007540.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/ ======================== Updated packages in core/updates_testing: ======================== lib(64)proxy1-0.4.15-4.2.mga7 libproxy-utils-0.4.15-4.2.mga7 python2-libproxy-0.4.15-4.2.mga7 python3-libproxy-0.4.15-4.2.mga7 libproxy-perl-0.4.15-4.2.mga7 libproxy-gxsettings-0.4.15-4.2.mga7 lib(64)proxy-gnome-0.4.15-4.2.mga7 lib(64)proxy-kde-0.4.15-4.2.mga7 lib(64)proxy-networkmanager-0.4.15-4.2.mga7 lib(64)proxy-webkit-0.4.15-4.2.mga7 libproxy-pacrunner-0.4.15-4.2.mga7 lib(64)proxy-devel-0.4.15-4.2.mga7 from SRPM: libproxy-0.4.15-4.2.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsKeywords: Triaged => (none)Status: NEW => ASSIGNEDCVE: (none) => CVE-2020-26154Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Source RPM: libproxy-0.4.15-10.mga8.src.rpm => libproxy-0.4.15-4.1.mga7.src.rpm
$ uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 6 packages are going to be installed: - lib64proxy-gnome-0.4.15-4.2.mga7.x86_64 - lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64 - lib64proxy-webkit-0.4.15-4.2.mga7.x86_64 - lib64proxy1-0.4.15-4.2.mga7.x86_64 - libproxy-gxsettings-0.4.15-4.2.mga7.x86_64 - libproxy-utils-0.4.15-4.2.mga7.x86_64 19KB of additional disk space will be used. --note I'm updating the already installed modules from 4.1 to 4.2 REbooted Utilities seem to be working and no network connection issues.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #4) > $ uname -a > Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 > x86_64 x86_64 x86_64 GNU/Linux > > The following 6 packages are going to be installed: > > - lib64proxy-gnome-0.4.15-4.2.mga7.x86_64 > - lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64 > - lib64proxy-webkit-0.4.15-4.2.mga7.x86_64 > - lib64proxy1-0.4.15-4.2.mga7.x86_64 > - libproxy-gxsettings-0.4.15-4.2.mga7.x86_64 > - libproxy-utils-0.4.15-4.2.mga7.x86_64 > > 19KB of additional disk space will be used. > > --note I'm updating the already installed modules from 4.1 to 4.2 > > > REbooted > > Utilities seem to be working and no network connection issues. Does your system use a proxy on your network to go online? I don't see this on your above comment. Meanwhile, using a squid server on my M7 system listening to my private network (on 198.168.1.254). Redirecting network from an other M7 system updated (1982.168.1.2), to this server under Plasma Systemsettings and /etc/resolv.conf to ask DNS to gateway/proxy (192.168.1.254): HTTP goes through squid and correctly logged. MGA7-64-OK Validating update. Advisory pushed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0399.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED