Upstream has issued an advisory today (August 10): https://c-ares.haxx.se/adv_20210810.html The issue is fixed upstream in 1.17.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.17.2
Debian and Ubuntu have issued advisories for this today (August 10): https://www.debian.org/security/2021/dsa-4954 https://ubuntu.com/security/notices/USN-5034-1
Summary: c-ares new security issue => c-ares new security issue CVE-2021-3672
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this today (August 18): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/
Fedora has issued an advisory for this today (August 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/
Severity: normal => major
Suggested advisory: ======================== The updated packages fix a security vulnerability: Missing input validation on hostnames returned by DNS servers. (CVE-2021-3672) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672 https://c-ares.haxx.se/adv_20210810.html https://www.debian.org/security/2021/dsa-4954 https://ubuntu.com/security/notices/USN-5034-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/ ======================== Updated packages in core/updates_testing: ======================== lib(64)cares2-1.17.1-1.1.mga8 lib(64)cares-devel-1.17.1-1.1.mga8 from SRPM: c-ares-1.17.1-1.1.mga8.src.rpm
Version: Cauldron => 8Status comment: Fixed upstream in 1.17.2 => (none)CVE: (none) => CVE-2021-3672Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 27654 Comment 3 fr testing, omitting the traces. $ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme 09/30 15:13:54 [NOTICE] Downloading 1 item(s) 09/30 15:13:55 [NOTICE] Download afgerond: /home/tester8/Documenten/mirror.readme Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 9cbc3d|OK | 15KiB/s|/home/tester8/Documenten/mirror.readme Status Legend: (OK):download completed. Downloaded file looks OK. # urpmi --aria2 guava Pakket guava-25.0-6.mga8.noarch is reeds geïnstalleerd Markeren van guava als handmatig geïnstalleerd. Het zal niet automatisch wees gemaakt worden. writing /var/lib/rpm/installed-through-deps.list Checked a few of the files listed in MCC: they are were expeted. OK, good to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0453.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED