+++ This bug was initially created as a clone of Bug #30287 +++
SUSE has issued an advisory today (April 13):
The issues are fixed upstream in 3.1.13.
3.1.13 also has fixes for CVE-2022-0194 and CVE-2022-2312[2-4], but the patch that fixed those issues caused a regression, so SUSE reverted it for their update.
Mageia 8 is also affected.
Upstream fix in 3.1.13 caused regression, no good fix yet
This package has no formal maintainer, but am assigning this (& its companion 30287) to DavidG who commited version: 3.1.12 - over 3y ago!
Fixed in Cauldron with latest 3.1.14 release!
Done also for mga8!
(In reply to David GEIGER from comment #2)
> Fixed in Cauldron with latest 3.1.14 release!
Are you sure that 3.1.14 fixes these CVEs (do you have a link that confirms that)? What about the CVE in Bug 31255?
from NEWS file:
Changes in 3.1.13
* FIX: CVE-2021-31439
* FIX: CVE-2022-23121
* FIX: CVE-2022-23123
* FIX: CVE-2022-23122
* FIX: CVE-2022-23125
* FIX: CVE-2022-23124
* FIX: CVE-2022-0194
* FIX: afpd: make a variable declaration a definition
* UPD: Remove bundled libevent
Ahh, so we already knew those fixes were in 3.1.13. The question is does 3.1.14 fix the regression?
Don't really know, it is not clearly mentioned in NEWS file: