Bug 28953 - networkmanager new security issue CVE-2021-20297
Summary: networkmanager new security issue CVE-2021-20297
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-20 19:48 CEST by David Walser
Modified: 2021-07-04 04:15 CEST (History)
5 users (show)

See Also:
Source RPM: networkmanager-1.26.6-1.mga8.src.rpm
CVE:
Status comment:

Attachments
System info, list of installed packages (3.67 KB, text/plain)
2021-07-02 15:18 CEST, Ulrich Beckmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-20 19:48:45 CEST 
RedHat has issued an advisory on May 18:
https://access.redhat.com/errata/RHSA-2021:1574

The issue is fixed upstream in 1.30.0 and the upstream commit that fixed the issue is referenced in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1943282

Mageia 7 is also affected.
David Walser 2021-05-20 19:48:58 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 Aurelien Oudelet 2021-05-21 03:07:29 CEST 
Hi, thanks reporting this.

Assigning to registered maintainer.

CC: (none) => ouaurelien
Assignee: bugsquad => jani.valimaa

Comment 2 David Walser 2021-05-28 21:06:23 CEST 
Ubuntu has issued an advisory for this on April 14:
https://ubuntu.com/security/notices/USN-4914-1
Comment 3 Jani Välimaa 2021-05-29 19:59:24 CEST 
nm with a patch from upstream in mga8 core/updates_testing.

SRPMS:
networkmanager-1.26.6-1.1.mga8

RPMS:
lib(64)nm0-1.26.6-1.1.mga8
lib(64)nm-devel-1.26.6-1.1.mga8
lib(64)nm-gir1.0-1.26.6-1.1.mga8
networkmanager-1.26.6-1.1.mga8
networkmanager-adsl-1.26.6-1.1.mga8
networkmanager-bluetooth-1.26.6-1.1.mga8
networkmanager-ppp-1.26.6-1.1.mga8
networkmanager-team-1.26.6-1.1.mga8
networkmanager-tui-1.26.6-1.1.mga8
networkmanager-wifi-1.26.6-1.1.mga8
networkmanager-wwan-1.26.6-1.1.mga8

Assignee: jani.valimaa => qa-bugs

Comment 4 David Walser 2021-05-30 04:47:52 CEST 
You forgot Mageia 7.  Please leave yourself in CC when assigning to QA also.

Assignee: qa-bugs => jani.valimaa

Comment 5 David Walser 2021-06-28 18:20:42 CEST 
But introduced in 1.26.0, so Mageia 7 is not affected.

Whiteboard: MGA7TOO => (none)
Status comment: Patch available from upstream => (none)
Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Comment 6 Ulrich Beckmann 2021-07-02 15:18:49 CEST 
Created attachment 12840 [details]
System info, list of installed packages


Tested on a Sony Vaio E series notebook.
NetworkManager was installed and configured before. No regression found.

Ulrich

CC: (none) => bequimao.de

Comment 7 Thomas Andrews 2021-07-03 19:05:37 CEST 
HP Probook 6550b, 64-bit Plasma system.

Network Manager already installed and operating before the update. After the update, I rebooted to make sure the connection would be established at boot. Also, I was able to connect to both frequencies of my network, and the signal of another network is detected, as usual.

Looks OK to me. With two good tests, I'm validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-04 02:58:18 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-07-04 04:15:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0309.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.