Apache has announced a security issue fixed upstream in apr-util on January 31: https://www.openwall.com/lists/oss-security/2023/01/31/4 The issue is fixed upstream in 1.6.2. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.6.2Whiteboard: (none) => MGA8TOO
Assigning to all packagers collectively, because there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. (CVE-2022-25147) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25147 https://www.openwall.com/lists/oss-security/2023/01/31/4 ======================== Updated packages in core/updates_testing: ======================== apr-util-dbd-ldap-1.6.3-1.mga8 apr-util-dbd-mysql-1.6.3-1.mga8 apr-util-dbd-odbc-1.6.3-1.mga8 apr-util-dbd-pgsql-1.6.3-1.mga8 apr-util-dbd-sqlite3-1.6.3-1.mga8 apr-util-dbm-db-1.6.3-1.mga8 apr-util-nss-1.6.3-1.mga8 apr-util-openssl-1.6.3-1.mga8 lib(64)apr-util1_0-1.6.3-1.mga8 lib(64)apr-util-devel-1.6.3-1.mga8 from SRPM: apr-util-1.6.3-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 1.6.2 => (none)Source RPM: apr-util-1.6.1-8.mga9.src.rpm => apr-util-1.6.1-4.mga8.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2022-25147Version: Cauldron => 8
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 22054 Comment 5 # systemctl stop httpd # strace -o /home/tester8/Documents/aprutil.txt httpd # systemctl stop httpd Trace file shows call to the lib as in refered bug. OK for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
openSUSE has issued an advisory for this today (February 13): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGPECRBP6DD7JUZRKAPXR2B37ATR4POJ/
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0045.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED