Fedora has issued an advisory today (July 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/44SPREQ2R4IE2VUUO2HVCFTUGDCYSXAD/ The issue is fixed upstream in vsftpd 3.0.4, nginx 1.21.0, and sendmail 8.17. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in vsftpd 3.0.4, nginx 1.21.0, sendmail 8.17Whiteboard: (none) => MGA8TOO
Given the 3 SRPMS involved (of which one has no obvious maintainer), assigning this globally; CC'ing Stig for nginx, cjw for sendmail.
CC: (none) => cjw, smelrorAssignee: bugsquad => pkg-bugs
Regarding nginx, it's probably fixed in 1.20.1 as well. 1.21.0 is their development version that I don't want to push to mga8.
Yes. "nginx-1.20.1 stable and nginx-1.21.0 mainline versions have been released, with a fix for the 1-byte memory overwrite vulnerability in resolver (CVE-2021-23017)." https://nginx.org/
Cauldron has already been updated to 1.20.1. Looks like it's been updated with an upstream patch for mga8 by David Walser on 2021-06-28. ------------------------------------------------------------------------ r1734115 | luigiwalser | 2021-06-28 18:38:21 +0200 (Mon, 28 Jun 2021) | 1 line add upstream patch to fix CVE-2021-23017
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
You got the wrong CVE (and there's two other packages to fix). See the RedHat bug for a link to the nginx commit that fixed this issue.
Whiteboard: (none) => MGA8TOOVersion: 8 => Cauldron
Fedora has issued an advisory for vsftpd today (October 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TKXMYKALTHIBJLDHQPBKNQK2FWVOSIG7/
fixed in cauldron
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => mageia
From: https://security-tracker.debian.org/tracker/CVE-2021-3618 this is fixed in sendmail 8.16.1 ( so mga8 is not affected ). src: - nginx-1.18.0-5.2.mga8 - vsftpd-3.0.5-1.mga8
Status comment: Fixed upstream in vsftpd 3.0.4, nginx 1.21.0, sendmail 8.17 => (none)Assignee: pkg-bugs => qa-bugs
MGa8-64, gnome To satisfy dependencies, the following package(s) also need to be installed: - lib64pcre16_0-8.44-1.mga8.x86_64 - lib64pcre32_0-8.44-1.mga8.x86_64 - lib64pcreposix1-8.44-1.mga8.x86_64 - pcre-8.44-1.mga8.x86_64 - webserver-base-2.0-15.mga8.noarch - and of course nginx -- rebooted went into services and started nginx Welcome to nginx 1.18.0 on Mageia!
CC: (none) => brtians1
MG8-64, Gnome installed vsftpd started it in services realized I needed to configure it edited the vsftpd.conf file restarted service test ftp worked
sendmail - do I need to test this?
No, Sendmail apparently didn't need to be updated.
Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0540.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED