Bug 29416 - libesmtp new security issue CVE-2019-19977
Summary: libesmtp new security issue CVE-2019-19977
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-26 18:31 CEST by David Walser
Modified: 2021-09-06 09:43 CEST (History)
1 user (show)

See Also:
Source RPM: libesmtp-1.0.6-12.mga8.src.rpm
CVE: CVE-2019-19977
Status comment:


Attachments

Description David Walser 2021-08-26 18:31:35 CEST
SUSE has issued an advisory on August 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html

Mageia 8 is also affected.
David Walser 2021-08-26 18:32:07 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-26 20:49:10 CEST
'libesmtp' has no registered nor evident maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-09-03 19:34:38 CEST
openSUSE has issued an advisory for this today (September 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/

Status comment: (none) => Patch available from openSUSE

Comment 3 Nicolas Salguero 2021-09-06 09:43:38 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. (CVE-2019-19977)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19977
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/
========================

Updated packages in core/updates_testing:
========================
lib(64)esmtp6-1.0.6-12.1.mga8
lib(64)esmtp-devel-1.0.6-12.1.mga8

from SRPM:
libesmtp-1.0.6-12.1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2019-19977
Version: Cauldron => 8
Status comment: Patch available from openSUSE => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)


Note You need to log in before you can comment on or make changes to this bug.