Ubuntu has issued an advisory on July 26: https://ubuntu.com/security/notices/USN-5531-1 Apparently, it may be bundled within other packages such as: argyllcms pidgin sudo So that needs to be checked too.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Ubuntu
(In reply to David Walser from comment #0) > Ubuntu has issued an advisory on July 26: > https://ubuntu.com/security/notices/USN-5531-1 Assigning to our registered protobuf-c maintainer > > Apparently, it may be bundled within other packages such as: > argyllcms > pidgin > sudo > > So that needs to be checked too. None of those have a registered maintainer, so CC'ing all packagers collectively for them.
Assignee: bugsquad => mageiaCC: (none) => marja11, pkg-bugs
Fedora has issued an advisory for this today (September 6): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FFN2GHUEGTSHRD7J5PKQ5DRSJSEQ2IKN/
Severity: major => normal
SUSE has issued an advisory on April 25: https://lists.suse.com/pipermail/sle-security-updates/2023-April/014571.html It fixes a new issue that, along with the original issue in this bug, is fixed upstream in 1.4.1.
Status comment: Patch available from Ubuntu => Fixed upstream in 1.4.1Summary: protobuf-c new security issue CVE-2022-33070 => protobuf-c new security issues CVE-2022-33070 and CVE-2022-48468
In Fedora, protobuf-c is bundled in libsignal-protocol-c, and Fedora has issued an advisory for CVE-2022-48468 in that bundled copy on on April 29: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EI4JZSHJXW7WOOTAQSV5SUCC5GE2GC2B/ In Mageia, libsignal-protocol-c is build with system protobuf-c.
Fixed for cauldron with protobuf-c-1.4.1-2.mga9!
Version: Cauldron => 8CC: (none) => geiger.david68210Whiteboard: MGA8TOO => (none)
Mageia 8 EOL
CC: (none) => nicolas.salgueroStatus: NEW => RESOLVEDResolution: (none) => OLD