+++ This bug was initially created as a clone of Bug #30975 +++ libksba 1.6.2 fixes a security issue: https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html The above advisory has been updated, as 1.6.2 didn't fully fix the issue. The issue is fixed upstream in 1.6.3. Debian has issued an advisory for this on December 21: https://www.debian.org/security/2022/dsa-5305 Mageia 8 is also affected.
CVE: CVE-2022-3515 => CVE-2022-47629Status comment: (none) => Fixed upstream in 1.6.3Whiteboard: (none) => MGA8TOO
Nicolas, I know this SRPM is not your baby, but you did a similar CVE update to it not long ago, so have been here before, a very similar job. new version 1.6.2 for CVE...
Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)
Suggested advisory: ======================== The updated packages fix a security vulnerability: Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. (CVE-2022-47629) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47629 https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html https://www.debian.org/security/2022/dsa-5305 ======================== Updated packages in core/updates_testing: ======================== lib(64)ksba8-1.5.0-1.2.mga8 lib(64)ksba-devel-1.5.0-1.2.mga8 from SRPM: libksba-1.5.0-1.2.mga8.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)Source RPM: libksba-1.6.2-1.mga9.src.rpm => libksba-1.5.0-1.1.mga8.src.rpmStatus comment: Fixed upstream in 1.6.3 => (none)CC: (none) => nicolas.salgueroAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 8
MGA8-64 MATE on Acer Aspire 5253 No installation issues Followed leads from bug 30975 Comment 32 and Comment 8 $ gpgconf --show-version * GnuPG 2.2.36 (491645b50) GNU/Linux * Libgcrypt 1.8.7 (04c156a4) version:1.8.7:10807:1.41-unknown:12900: cc:100300:gcc:10.3.0: ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20: pubkeys:dsa:elgamal:rsa:ecc: digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2: rnd-mod:egd:linux:unix: cpu-arch:x86: mpi-asm:amd64/mpih-add1.S:amd64/mpih-sub1.S:amd64/mpih-mul1.S:amd64/mpih-mul2.S:amd64/mpih-mul3.S:amd64/mpih-lshift.S:amd64/mpih-rshift.S: hwflist:intel-ssse3:intel-rdtsc: fips-mode:n:n: rng-type:standard:1:2010000:1: * GpgRT 1.41-unknown (0000000) * Libassuan 2.5.4 (e368b40) * KSBA 1.5.0 (9c0a818) * GNUTLS 3.6.15 $ gpgsm --gen-key > x.pem gpgsm (GnuPG) 2.2.36; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 1 What keysize do you want? (3072) Requested keysize is 3072 bits Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=<name>, O=thuis, C=unv Enter email addresses (end with an empty line): > <mail-address> > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Create self-signed certificate? (y/N) y These parameters are used: Key-Type: RSA Key-Length: 3072 Key-Usage: sign, encrypt Serial: random Name-DN: CN=<name>, O=thuis, C=unv Name-Email: <mail-address> Proceed with creation? (y/N) y Now creating self-signed certificate. This may take a while ... gpgsm: about to sign the certificate for key: &DA504B849C780A269CBBB4365E74F44B85F3871E gpgsm: certificate created Ready. So worked OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0485.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED