A commit in zlib's upstream git from four years ago, which has not yet made it into a release, has been identified as fixing a security issue: https://www.openwall.com/lists/oss-security/2022/03/24/1 I suspect we'll see a CVE for it shortly. Mageia 8 is also affected.
SRPM: zlib-1.2.11-9.1.mga8.src.rpm i586: libminizip1-1.2.11-9.1.mga8.i586.rpm libminizip-devel-1.2.11-9.1.mga8.i586.rpm libzlib1-1.2.11-9.1.mga8.i586.rpm libzlib-devel-1.2.11-9.1.mga8.i586.rpm libzlib-static-devel-1.2.11-9.1.mga8.i586.rpm x86_64: lib64minizip1-1.2.11-9.1.mga8.x86_64.rpm lib64minizip-devel-1.2.11-9.1.mga8.x86_64.rpm lib64zlib1-1.2.11-9.1.mga8.x86_64.rpm lib64zlib-devel-1.2.11-9.1.mga8.x86_64.rpm lib64zlib-static-devel-1.2.11-9.1.mga8.x86_64.rpm
Version: Cauldron => 8Assignee: bugsquad => qa-bugs
It now have a CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
Summary: zlib new security issue fixed upstream => zlib new security issue CVE-2018-25032
MGA8-64 Plasma on Lenovo B50 in Dutch No installattion issues. Ref bug 19529 for tests, but I run into problems with qt-fsarchiver (it wants a qt-fsarchiver-terminal which I do nt find), and with nmapfe that does not exists (anymore?) at all.
CC: (none) => herman.viaene
(In reply to Thomas Backlund from comment #2) > It now have a CVE > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032 Reference: https://www.openwall.com/lists/oss-security/2022/03/25/2
I think I'll rebase to recently released 1.2.12 to pick up the other bugfixes at the same time...
Keywords: (none) => feedback
Changelog for 1.2.12: https://www.zlib.net/ChangeLog.txt new rpms: SRPM: zlib-1.2.12-1.mga8.src.rpm i586: libminizip1-1.2.12-1.mga8.i586.rpm libminizip-devel-1.2.12-1.mga8.i586.rpm libzlib1-1.2.12-1.mga8.i586.rpm libzlib-devel-1.2.12-1.mga8.i586.rpm libzlib-static-devel-1.2.12-1.mga8.i586.rpm x86_64: lib64minizip1-1.2.12-1.mga8.x86_64.rpm lib64minizip-devel-1.2.12-1.mga8.x86_64.rpm lib64zlib1-1.2.12-1.mga8.x86_64.rpm lib64zlib-devel-1.2.12-1.mga8.x86_64.rpm lib64zlib-static-devel-1.2.12-1.mga8.x86_64.rpm
Keywords: feedback => (none)
(In reply to Herman Viaene from comment #3) > MGA8-64 Plasma on Lenovo B50 in Dutch > No installattion issues. > Ref bug 19529 for tests, but I run into problems with qt-fsarchiver (it > wants a qt-fsarchiver-terminal which I do nt find), and with nmapfe that > does not exists (anymore?) at all. The following 3 packages are going to be installed: - lib64minizip1-1.2.12-1.mga8.x86_64 - lib64zlib-devel-1.2.12-1.mga8.x86_64 - lib64zlib1-1.2.12-1.mga8.x86_64 MGA8-64 Plasma in English. No installation issues here, either. Looked over Bug 19529. Since fsarchiver is having issues, I decided to try something else: Handbrake. $ strace -o zlib.txt ghb Converted three videos from various container types to .mp4. Examined the resulting strace file, and found one reference to /lib64/libz.so.1. Did another strace with Ark, where I extracted some screenshots from a tar.gz file, and there I again found a single reference to libz.so.1. Looks OK to me. Validating.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
Ubuntu has issued an advisory for this on March 30: https://ubuntu.com/security/notices/USN-5355-1
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0124.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED