A security issue fixed upstream in zlib has been announced on August 5: https://www.cve.org/CVERecord?id=CVE-2022-37434 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from upstream
This SRPM has had different maintainers, so assigning the update globally. CC'ing tmb & NicolasS who have dealt with it recently, and might want to do this update.
Assignee: bugsquad => pkg-bugsCC: (none) => nicolas.salguero, tmb
fixed in mga8/9 src: - zlib-1.2.12-1.2.mga8
CC: (none) => mageiaVersion: Cauldron => 8Status comment: Patch available from upstream => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)
libzlib-devel-1.2.12-1.2.mga8 libzlib-static-devel-1.2.12-1.2.mga8 libzlib1-1.2.12-1.2.mga8 libminizip1-1.2.12-1.2.mga8 libminizip-devel-1.2.12-1.2.mga8 from zlib-1.2.12-1.2.mga8.src.rpm
See here: https://www.openwall.com/lists/oss-security/2022/08/09/1 A second commit needs to be added to fix a regression.
Keywords: (none) => feedback
Ubuntu has issued an advisory for this on August 17: https://ubuntu.com/security/notices/USN-5570-1
Assignee: qa-bugs => mageiaKeywords: feedback => (none)
Debian has issued an advisory for this on August 25: https://www.debian.org/security/2022/dsa-5218
Status comment: (none) => Second patch needs to be added to fix regression
Suggested advisory: ======================== The updated packages fix a security vulnerability: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). (CVE-2022-37434) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 https://www.openwall.com/lists/oss-security/2022/08/09/1 https://ubuntu.com/security/notices/USN-5570-1 https://www.debian.org/security/2022/dsa-5218 ======================== Updated packages in core/updates_testing: ======================== lib(64)minizip1-1.2.12-1.3.mga8 lib(64)minizip-devel-1.2.12-1.3.mga8 lib(64)zlib1-1.2.12-1.3.mga8 lib(64)zlib-devel-1.2.12-1.3.mga8 lib(64)zlib-static-devel-1.2.12-1.3.mga8 from SRPM: zlib-1.2.12-1.3.mga8.src.rpm
CVE: (none) => CVE-2022-37434Assignee: mageia => qa-bugsStatus comment: Second patch needs to be added to fix regression => (none)Source RPM: zlib-1.2.12-2.mga9.src.rpm => zlib-1.2.12-1.1.mga8.src.rpmStatus: NEW => ASSIGNED
Fedora has issued an advisory for this today (September 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
MGA8-64 Plasma. No installation issues. Repeated the test from https://bugs.mageia.org/show_bug.cgi?id=30204#c7 except with different object files, with the same results. Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0328.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED