SUSE has issued an advisory today (October 19): https://lists.suse.com/pipermail/sle-security-updates/2021-October/009610.html The issue is fixed upstream in 2.37.2.
Status comment: (none) => Patch available from upstream
CC: (none) => marja11Assignee: bugsquad => basesystem
Security issues fixed upstream in util-linux have been announced today (January 24): https://www.openwall.com/lists/oss-security/2022/01/24/2 The upstream commits that fixed the issues are linked in the message above. The fixes are included in 2.37.3 (pushed in Cauldron).
Summary: util-linux new security issue CVE-2021-37600 => util-linux new security issues CVE-2021-37600 and CVE-2021-399[56]
Build failed in Cauldron, said it can't find linux/raw.h even though kernel-userspace-headers is in the buildroot. http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220124145600.luigiwalser.duvel.855318/log/util-linux-2.37.3-1.mga9/build.x86_64.0.20220124145605.log
CC: (none) => tmbVersion: 8 => CauldronStatus comment: Patch available from upstream => Patches available from upstreamWhiteboard: (none) => MGA8TOO
Linux raw interface is long gone... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=603e4922f1c81fc2ed3a87b4f91a8d3aafc7e093
Maybe this: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=dff176e2f04c67bf8f4fc1800bd750dca17abeae
or just drop "--enable-raw"
Thanks (raw dropped by Thomas, 2.37.3 successfully built).
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Debian has issued an advisory for two of these CVEs on January 24: https://www.debian.org/security/2022/dsa-5055
(In reply to David Walser from comment #7) > Debian has issued an advisory for two of these CVEs on January 24: > https://www.debian.org/security/2022/dsa-5055 Fedora advisory from February 4 for the same CVEs: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SW73IARDAP7WWQ6ETYQB2OS2SLW4XTT3/
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #7) > > Debian has issued an advisory for two of these CVEs on January 24: > > https://www.debian.org/security/2022/dsa-5055 > > Fedora advisory from February 4 for the same CVEs: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/SW73IARDAP7WWQ6ETYQB2OS2SLW4XTT3/ Ubuntu advisory from today (February 9) for those two CVEs: https://ubuntu.com/security/notices/USN-5279-1
Fedora has issued an advisory today (February 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YUFRTN7YYS4ESW372SWK2PURGSGVDL4/ The issue is fixed upstream in 2.37.4.
Summary: util-linux new security issues CVE-2021-37600 and CVE-2021-399[56] => util-linux new security issues CVE-2021-37600, CVE-2021-399[56], CVE-2022-0563
More details on CVE-2021-399[56] in this advisory: https://www.openwall.com/lists/oss-security/2022/02/17/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37600 - disputed with comment: NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. but as the fix is non-invasive I've added it anyway. I also updated to 2.36.2 maintenance release: https://cdn.kernel.org/pub/linux/utils/util-linux/v2.36/v2.36.2-ReleaseNotes so all CVE fixes added on topof 2.36.2 and is now building as util-linux-2.36.2-1.mga8
SRPM: util-linux-2.36.2-1.mga8.src.rpm i586: libblkid1-2.36.2-1.mga8.i586.rpm libblkid-devel-2.36.2-1.mga8.i586.rpm libfdisk1-2.36.2-1.mga8.i586.rpm libfdisk-devel-2.36.2-1.mga8.i586.rpm libmount1-2.36.2-1.mga8.i586.rpm libmount-devel-2.36.2-1.mga8.i586.rpm libsmartcols1-2.36.2-1.mga8.i586.rpm libsmartcols-devel-2.36.2-1.mga8.i586.rpm libuuid1-2.36.2-1.mga8.i586.rpm libuuid-devel-2.36.2-1.mga8.i586.rpm python3-libmount-2.36.2-1.mga8.i586.rpm util-linux-2.36.2-1.mga8.i586.rpm uuidd-2.36.2-1.mga8.i586.rpm x86_64: lib64blkid1-2.36.2-1.mga8.x86_64.rpm lib64blkid-devel-2.36.2-1.mga8.x86_64.rpm lib64fdisk1-2.36.2-1.mga8.x86_64.rpm lib64fdisk-devel-2.36.2-1.mga8.x86_64.rpm lib64mount1-2.36.2-1.mga8.x86_64.rpm lib64mount-devel-2.36.2-1.mga8.x86_64.rpm lib64smartcols1-2.36.2-1.mga8.x86_64.rpm lib64smartcols-devel-2.36.2-1.mga8.x86_64.rpm lib64uuid1-2.36.2-1.mga8.x86_64.rpm lib64uuid-devel-2.36.2-1.mga8.x86_64.rpm python3-libmount-2.36.2-1.mga8.x86_64.rpm util-linux-2.36.2-1.mga8.x86_64.rpm uuidd-2.36.2-1.mga8.x86_64.rpm
Assignee: basesystem => qa-bugs
mga8, x86_64 Updated packages without issues. util-linux contains basic utilities which should be exercised during booting I think and definitely for logging in. So, logout and reboot. Kept an eye on the log - no problems flagged. login as normal. Everything mounted as expected. Ran GSmartControl to see if any disks supported SMART. # gsmartcontrol The terminal log posted many errors and warnings of this sort: <warn> [hz] Warning: exit: Device open failed, or device did not return an IDENTIFY DEVICE structure. <error> [gtk] setenv()/putenv() are not thread-safe and should not be used after threads are created <error> [gtk] setenv()/putenv() are not thread-safe and should not be used after threads are created <warn> [app] SmartctlParser::parse_section_info_property(): Unknown property "TRIM Command" The gui appeared, displaying six disks - 2 plugged in USB drives, an optical drive, an HDD with SMART enabled, an unknown model (the NVME system disk) without SMART support and the optical drive. SMART was already enabled for one of the USB drives; the other one does not support SMART. The three SMART devices passed the health check. It looks good so far. Leaving this in case somebody knows of any detailed tests we should run.
CC: (none) => tarazed25
OK, lets send this out.
Whiteboard: (none) => MGA8-64-OK
mga8-64 OK on my workstation: i7, plasma, nvidia-current, LUKS, LVM, ext4 Installed, rebooted, in use during the day, no issues noted.
CC: (none) => fri
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0076.html
Status: NEW => RESOLVEDResolution: (none) => FIXED