Bug 28019 - gssproxy new security issue CVE-2020-12658
Summary: gssproxy new security issue CVE-2020-12658
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-06 00:04 CET by David Walser
Modified: 2021-01-09 17:16 CET (History)
1 user (show)

See Also:
Source RPM: gssproxy-0.8.2-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-06 00:04:17 CET 
Debian-LTS has issued an advisory on January 4:
https://www.debian.org/lts/security/2021/dla-2516

The issue is fixed upstream in 0.8.3.
David Walser 2021-01-06 00:05:01 CET

Status comment: (none) => Fixed upstream in 0.8.3

Comment 1 Lewis Smith 2021-01-06 21:11:52 CET 
This is just for M7, we have 0.8.3 in Cauldron.

Assigning to the current maintainer.

Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2021-01-09 11:03:50 CET 
I just submitted gssproxy-0.8.2-2.1.mga7 in update_testing for mageia 7.
Comment 3 David Walser 2021-01-09 17:16:51 CET 
Advisory:
========================

Updated gssproxy package fixes security vulnerability:

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before
pthread exit in gp_worker_main() in gp_workers.c (CVE-2020-12658).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12658
https://www.debian.org/lts/security/2021/dla-2516
========================

Updated packages in core/updates_testing:
========================
gssproxy-0.8.2-2.1.mga7

from gssproxy-0.8.2-2.1.mga7.src.rpm

CC: (none) => guillomovitch
Status comment: Fixed upstream in 0.8.3 => (none)
Assignee: guillomovitch => qa-bugs
Note You need to log in before you can comment on or make changes to this bug.