Bug 28087 - libzypp, zypper new security issue CVE-2017-9271
Summary: libzypp, zypper new security issue CVE-2017-9271
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-13 19:29 CET by David Walser
Modified: 2021-07-01 18:28 CEST (History)
1 user (show)

See Also:
Source RPM: libzypp-17.20.0-6.mga8.src.rpm, zypper-1.14.33-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in libzypp 17.25.4 / zypper 1.14.41

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-13 19:29:21 CET 
SUSE has issued an advisory today (January 13):
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008193.html

The issue is fixed upstream in 17.25.4.

Mageia 7 is also affected.
David Walser 2021-01-13 19:30:01 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 17.25.4

Comment 1 Nicolas Lécureuil 2021-01-13 21:09:31 CET 
Freeze push asked for cauldron.

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

David Walser 2021-01-13 22:22:31 CET

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

Comment 2 David Walser 2021-01-13 23:37:55 CET 
Re-reading the advisory, it looks like zypper needs updated to 1.14.41 too.

Status comment: Fixed upstream in 17.25.4 => Fixed upstream in libzypp 17.25.4 / zypper 1.14.41
Source RPM: libzypp-17.20.0-6.mga8.src.rpm => libzypp-17.20.0-6.mga8.src.rpm, zypper-1.14.33-2.mga8.src.rpm
Summary: libzypp new security issue CVE-2017-9271 => libzypp, zypper new security issue CVE-2017-9271

Comment 3 Lewis Smith 2021-01-14 14:23:37 CET 
Done: in cauldron, Wed Jan 13, New version 1.14.42.

Leaving this with NicolasL as already dealing with it.
CC'ing cjw as the principle maintaner.

Assignee: bugsquad => mageia
CC: mageia => cjw

Comment 4 Nicolas Lécureuil 2021-01-14 15:20:42 CET 
libzypp and zypper are now fixed in cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 5 David Walser 2021-01-15 21:41:29 CET 
openSUSE has issued an advisory for this on January 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FB5G3FIS4OQH3FX723SLMBOC4P37HKHV/
Comment 6 David Walser 2021-07-01 18:28:30 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.