A security issue fixed upstream in protobuf has been announced today (January 12): https://www.openwall.com/lists/oss-security/2022/01/12/4 The issue is fixed upstream in 3.19.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.19.2
No one packager evident for this, so have to assign it globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory today (February 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/ The issue is fixed upstream in 3.15.0.
Summary: protobuf, ruby-google-protobuf new security issue CVE-2021-22569 => protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570
Hi, For Cauldron, protobuf and ruby-google-protobuf were updated to version 3.19.4. For Mageia 8, I only added the patch from Fedora for CVE-2021-22570 in protobuf-3.14.0-1.1.mga8. Best regards, Nico.
CC: (none) => nicolas.salguero
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
openSUSE has issued an advisory for CVE-2021-22570 on March 14: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WYCKEL27LS2QTHCEAYFVLKKSZP4MBBJQ/
Shouldn't this report be assigned to QA?
CC: (none) => yves.brungard_mageia
No, the ruby one hasn't been fixed yet.
Depends on: (none) => 30906
From the upstream advisory: - Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. - google-protobuf [JRuby gem] (3.19.2) We don't ship jruby or gems built for jruby so are not impacted
CC: (none) => pterjanSource RPM: protobuf-3.19.1-1.mga9.src.rpm, ruby-google-protobuf-3.11.4-1.mga8.src.rpm => protobuf-3.19.1-1.mga9.src.rpm
Summary: protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570 => protobuf new security issues CVE-2021-22569 and CVE-2021-22570
Ubuntu has issued an advisory for this today (March 13): https://ubuntu.com/security/notices/USN-5945-1
Patch added now for CVE-2021-22569!
CC: (none) => geiger.david68210
Assigned to QA in Bug 30906.
Status comment: Fixed upstream in 3.19.2 => (none)
Fixed in: https://advisories.mageia.org/MGASA-2023-0092.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED