29025 – perl-Net-CIDR-Lite new security issue fixed upstream in 0.22

Bug 29025 - perl-Net-CIDR-Lite new security issue fixed upstream in 0.22

Summary: perl-Net-CIDR-Lite new security issue fixed upstream in 0.22

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-05-29 22:21 CEST by David Walser
Modified:	2021-07-27 22:23 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	perl-Net-CIDR-Lite-0.210.0-9.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-29 22:21:57 CEST

Fedora has issued an advisory on April 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO7X4TBRIVL4G3GLZBEHFXC7IXMBAMW/

The issue is fixed upstream in 0.22.

David Walser 2021-05-29 22:22:09 CEST

Whiteboard: (none) => MGA7TOO

David Walser 2021-05-30 05:00:52 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 David Walser 2021-07-01 18:55:09 CEST

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2021-07-23 18:10:08 CEST

version 0.22 uploaded in mga8


src:
    - perl-Net-CIDR-Lite-0.220.0-1.mga8

Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2021-07-23 18:22:35 CEST

rhbz reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1961865

Severity: normal => major

Comment 4 Aurelien Oudelet 2021-07-23 22:24:47 CEST

Advisory:
========================

Updated perl-Net-CIDR-Lite package fixes a security vulnerability:

It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP
addresses with IP octets containing leading zeros.  Leading zeros were ignored,
while the underlying system can treat such octets as octal numbers and interpret
them differently.  For example, IP address of 010.0.0.1 was considered by Net
CIDR-Lite to be the same address as 10.0.0.1, while system may consider it to be
IP address 8.0.0.1 (rhbz 1961865).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29025
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO7X4TBRIVL4G3GLZBEHFXC7IXMBAMW/
 - https://bugzilla.redhat.com/show_bug.cgi?id=1961865
========================

Updated package in core/updates_testing:
========================
perl-Net-CIDR-Lite-0.220.0-1.mga8

from SRPM:
perl-Net-CIDR-Lite-0.220.0-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 5 Herman Viaene 2021-07-27 15:40:55 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
Checked that MCC - Networkcenter is not disturbed by i (a wild guess), otherwise OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Aurelien Oudelet 2021-07-27 21:06:04 CEST

Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2021-07-27 22:23:25 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0376.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.