Upstream has issued an advisory on September 22: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf The issue is fixed upstream in 3.19.5. It would appear to be the Python subpackage (python3-protobuf) that's affected. Mageia 8 is also affected.
Blocks: (none) => 29876Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.19.5
Hi, For Cauldron, protobuf was updated to version 3.19.5. Best regards, Nico.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salguero
SUSE has issued an advisory today (November 9): https://lists.suse.com/pipermail/sle-security-updates/2022-November/012857.html It fixes two issues we already had bugs for (Bug 29876 and this bug) and an additional issue CVE-2022-3171, which is fixed upstream in 3.19.6: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 The new issue also affects ruby-google-protobuf (where it is fixed upstream in 3.21.7), and also affects Mageia 8.
Whiteboard: (none) => MGA8TOOStatus comment: Fixed upstream in 3.19.5 => Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7Source RPM: protobuf-3.19.4-2.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpmVersion: 8 => CauldronSummary: protobuf new security issue CVE-2022-1941 => protobuf new security issues CVE-2022-1941 and CVE-2022-3171CC: (none) => pterjan
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/R2AEGDIGMLKPLFNJRJWFW4RS6QWEK2NB/
ruby-google-protobuf is not impacted by CVE-2022-3171 which is a Java only problem. We don't ship jruby or any gem built for jruby, only native versions.
Source RPM: protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpmStatus comment: Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7 => Fixed upstream in protobuf 3.19.6
Ubuntu has issued an advisory for CVE-2022-1941 on December 8: https://ubuntu.com/security/notices/USN-5769-1
Status comment: Fixed upstream in protobuf 3.19.6 => Fixed upstream in 3.19.6
Fedora has issued an advisory for this on December 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31431
Cauldron has version: 3.19.6. Not sure what the problem is, but can this bug be progressed? Note its new companion bug 31431.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31432
Blocks: (none) => 31430
Ubuntu has issued an advisory for CVE-2022-1941 (and the issues in Bug 29876) today (March 13): https://ubuntu.com/security/notices/USN-5945-1
Patch added now for CVE-2022-1941 and CVE-2022-3171!
CC: (none) => geiger.david68210
Cauldron has been updated to 21.12 by Jani and David. This update addresses CVE-2021-22569 and CVE-2021-22570 (Bug 29876) as well as CVE-2022-1941 and CVE-2022-3171 (Bug 30906).
Assignee: java => qa-bugsStatus comment: Fixed upstream in 3.19.6 => (none)Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
protobuf-javadoc-3.14.0-1.2.mga8 libprotobuf25-3.14.0-1.2.mga8 libprotoc25-3.14.0-1.2.mga8 libprotobuf-devel-3.14.0-1.2.mga8 protobuf-java-3.14.0-1.2.mga8 libprotobuf-lite25-3.14.0-1.2.mga8 python3-protobuf-3.14.0-1.2.mga8 protobuf-javalite-3.14.0-1.2.mga8 protobuf-compiler-3.14.0-1.2.mga8 protobuf-parent-3.14.0-1.2.mga8 protobuf-bom-3.14.0-1.2.mga8 protobuf-java-util-3.14.0-1.2.mga8 protobuf-vim-3.14.0-1.2.mga8 libprotobuf-static-devel-3.14.0-1.2.mga8 from protobuf-3.14.0-1.2.mga8.src.rpm
This seems all developer's area,so OK on clean install. Tried a few urpmq operations, nothing usefull shown.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
A search for previous updates shows "protobuf" as needed by vlc, and urpmq --whatrequires shows that vlc-plugin-common requires lib64protobuf-lite25 as a runtime library, but I have no idea which of the seemingly hundreds of plugins in that package uses it. But I tried, anyway. After the update, I tried running strace with vlc and played a mp4 file from Handbrake and the original avi file from a digital camera, but a search of the resulting file contained no reference to "protobuf" at all. I tried again, this time attempting streaming from the Internet, which failed miserably because I didn't know what I was doing. No reference to "protobuf" this time either, so I don't believe it was this update that caused the failure. I'm going to give this a tentative validation on our clean installs. If this needs further testing, I will need some guidance on how to do it.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0092.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED