RedHat has issued an advisory on May 18: https://access.redhat.com/errata/RHSA-2021:1924 The issue is fixed upstream in 0.14.92. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 0.14.92
Assigning to Thierry: you did in Cauldron the 0.14.3 update, and the recent 0.15.0 one. @DavidW : will that do the job of 0.14.92 ?
Assignee: bugsquad => thierry.vignaud
openSUSE has issued an advisory for this on June 17: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AINSWYQLD5FH4GUOEP5FWWA5CMFHTUDX/
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA7TOO => (none)
CC: (none) => mageiaSource RPM: spice-0.14.3-3.mga8.src.rpm => spice-protocol-0.14.3-3.mga8.src.rpm
Fixed package pushed in mga8: src: - spice-0.14.3-3.1.mga8
Source RPM: spice-protocol-0.14.3-3.mga8.src.rpm => spice-0.14.3-3.mga8.src.rpmStatus comment: Fixed upstream in 0.14.92 => (none)Assignee: thierry.vignaud => qa-bugs
spice-client-0.14.3-3.1.mga8 libspice-server-devel-0.14.3-3.1.mga8 libspice-server1-0.14.3-3.1.mga8 from spice-0.14.3-3.1.mga8.src.rpm
MGA8-64 Plasmaon Lenovo B50 No installation issues. This laptop is not sufficuently equipped to run VM's.
CC: (none) => herman.viaene
CC: (none) => bequimao.de
Advisory: ======================== Updated spice packages fix a security vulnerability: A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection (CVE-2021-20201). References: - https://bugs.mageia.org/show_bug.cgi?id=28947 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20201 - https://access.redhat.com/errata/RHSA-2021:1924 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AINSWYQLD5FH4GUOEP5FWWA5CMFHTUDX/ ======================== Updated packages in core/updates_testing: ======================== lib(64)spice-server-devel-0.14.3-3.1.mga8 lib(64)spice-server1-0.14.3-3.1.mga8 spice-client-0.14.3-3.1.mga8 from SRPM: spice-0.14.3-3.1.mga8.src.rpm
CC: (none) => ouaurelien
Created attachment 12901 [details] Log of installation/upgrade Tested Spice with Virt-Manager, Qemu/KVM Host is Mageia 8 KDE Plasma, guest also Mageia 8 KDE Plasma Shared folder, ok Clipboard sharing, both directions ok USB redirection, created and deleted files on an usb flash drive - ok. I will give details of host and guest configuration later. Best regards, Ulrich
I documented the needs and proceedings to get it running in the international forum https://forums.mageia.org/en/viewtopic.php?f=41&t=14293 Setting the bug report to ok! Finally! Ulrich
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0405.html
Status: NEW => RESOLVEDResolution: (none) => FIXED