Bug 29023 - perl-Net-Netmask new security issue CVE-2021-29424
Summary: perl-Net-Netmask new security issue CVE-2021-29424
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 21:54 CEST by David Walser
Modified: 2021-07-27 22:23 CEST (History)
4 users (show)

See Also:
Source RPM: perl-Net-Netmask-1.910.400-3.mga8.src.rpm
CVE: CVE-2021-29424
Status comment:


Attachments

Description David Walser 2021-05-29 21:54:13 CEST
Fedora has issued an advisory on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/

The issue is fixed upstream in 2.0.

Mageia 7 is also affected.
David Walser 2021-05-29 21:54:23 CEST

Status comment: (none) => Fixed upstream in 2.0
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-07-01 18:54:58 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2021-07-23 16:00:02 CEST
New version pushed in mga8


src:
    - perl-Net-Netmask-2.0.100-1.mga8

Status comment: Fixed upstream in 2.0 => (none)
Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia

Comment 3 Aurelien Oudelet 2021-07-23 22:20:38 CEST
Advisory:
========================

Updated perl-Net-Netmask package fixes a security vulnerability:

The Net::Netmask module before 2.0000 for Perl does not properly consider
extraneous zero characters at the beginning of an IP address string, which
(in some situations) allows attackers to bypass access control that is based
on IP addresses (CVE-2021-29424).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29023
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29424
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/
========================

Updated package in core/updates_testing:
========================
perl-Net-Netmask-2.0.100-1.mga8

from SRPM:
perl-Net-Netmask-2.0.100-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 4 Herman Viaene 2021-07-27 15:45:12 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Aurelien Oudelet 2021-07-27 21:07:57 CEST
Validating.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-29424
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2021-07-27 22:23:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.