Debian-LTS has issued an advisory on February 18: https://www.debian.org/lts/security/2021/dla-2562 The issue is fixed upstream in 1.3.4. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 1.3.4
Done for cauldron, mga7 and mga8!
CC: (none) => geiger.david68210
Thanks David; another "no sooner said than done" tour de force. Changing you from CC to Assignee. It will need an Advisory.
Assignee: bugsquad => geiger.david68210CC: geiger.david68210 => (none)
Package list: mumble-1.3.4-1.mga7 mumble-protocol-plasma5-1.3.4-1.mga7 mumble-plugins-1.3.4-1.mga7 mumble-server-1.3.4-1.mga7 mumble-server-web-1.3.4-1.mga7 mumble-1.3.4-1.mga8 mumble-plugins-1.3.4-1.mga8 mumble-server-1.3.4-1.mga8 mumble-server-web-1.3.4-1.mga8 mumble-protocol-plasma5-1.3.4-1.mga8 from SRPMS: mumble-1.3.4-1.mga7.src.rpm mumble-1.3.4-1.mga8.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Fixed upstream in 1.3.4 => (none)Version: Cauldron => 8
Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text (CVE-2021-27229). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 https://www.debian.org/lts/security/2021/dla-2562
[root@mga8-final ~]# dnf list $(cat mga8_28450.list) Last metadata expiration check: 3:19:44 ago on Mon 08 Mar 2021 01:30:38 PM -03. Installed Packages mumble.x86_64 1.3.4-1.mga8 @updates_testing-x86_64 mumble-plugins.x86_64 1.3.4-1.mga8 @updates_testing-x86_64 mumble-protocol-plasma5.x86_64 1.3.4-1.mga8 @updates_testing-x86_64 [root@mga8-final ~]# Installed and upgraded mumble in a fresh Mga8 Installation. Then I went through the config workflow, connected to a foreign server, and had a small talk. Everything works fine. Ulrich
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => bequimao.de
[root@mga7-final ~]# dnf list $(cat mga7_28450.list) Last metadata expiration check: 0:16:21 ago on Mon 08 Mar 2021 05:08:39 PM -03. Installed Packages mumble.x86_64 1.3.4-1.mga7 @updates_testing-x86_64 mumble-plugins.x86_64 1.3.4-1.mga7 @updates_testing-x86_64 mumble-protocol-plasma5.x86_64 1.3.4-1.mga7 @updates_testing-x86_64 [root@mga7-final ~]# Here I had mumble previously configured. They heard me, and also heard my dog. No regression found. Ulrich
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Thanks, Ulrich! Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-27229
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0125.html
Status: NEW => RESOLVEDResolution: (none) => FIXED