Bug 31573 - c-ares new security issue CVE-2022-4904
Summary: c-ares new security issue CVE-2022-4904
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-19 17:06 CET by David Walser
Modified: 2023-05-23 07:27 CEST (History)
5 users (show)

See Also:
Source RPM: c-ares-1.17.1-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-19 17:06:19 CET 
Debian-LTS has issued an advisory on February 18:
https://www.debian.org/lts/security/2023/dla-3323

The issue is fixed upstream in 1.19.0:
https://c-ares.org/changelog.html
https://github.com/c-ares/c-ares/pull/497
David Walser 2023-02-19 17:06:40 CET

Status comment: (none) => Fixed upstream in 1.19.0

Comment 1 Lewis Smith 2023-02-19 19:59:00 CET 
version 1.19.0 is already in Cauldron.
Assigning this update globally as different packegers do this SRPM.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-02-19 21:33:50 CET 
Patched package uploaded for Mageia 8 by David Geiger.

libcares2-1.17.1-1.2.mga8
libcares-devel-1.17.1-1.2.mga8

from c-ares-1.17.1-1.2.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.19.0 => (none)
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2023-02-21 15:57:59 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 27654 Comment 3 fr testing, omitting the traces.
$ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme

02/21 15:47:57 [NOTICE] Downloading 1 item(s)
[#96d48f 0B/2.3KiB(0%) CN:1 DL:0B]                                                                                                      
02/21 15:47:58 [NOTICE] Download complete: /home/tester8/mirror.readme

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
96d48f|OK  |   7.5KiB/s|/home/tester8/mirror.readme

Status Legend:
(OK):download completed.
Downloaded file looks OK.

# urpmi --aria2 guava
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  guava                          25.0         6.mga8        noarch  
  jsr-305                        1            0.30.2013091> noarch  
2.5MB of additional disk space will be used.
2.2MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    $MIRRORLIST: media/core/release/jsr-305-1-0.30.20130910svn.5.mga8.noarch.rpm
    $MIRRORLIST: media/core/release/guava-25.0-6.mga8.noarch.rpm                                                                        
installing guava-25.0-6.mga8.noarch.rpm jsr-305-1-0.30.20130910svn.5.mga8.noarch.rpm from /var/cache/urpmi/rpms                         
Preparing...                     ######################################################################################################
      1/2: jsr-305               ######################################################################################################
      2/2: guava                 ######################################################################################################
Checked a few of the files listed in MCC: they are were expeted.
OK, good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-02-21 17:00:18 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 20:52:29 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-27 21:29:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0069.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2023-05-20 01:29:29 CEST 
This update never actually got pushed.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 7 Dave Hodgins 2023-05-23 07:27:05 CEST 
Fixed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.