0.9.76 is already in Cauldron thanks to luigi.

Assigning this M8 update globally as different packagers maintain the SRPM.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In the MHD_PostProcessor, malformed inputs can be used to crash the server (for denial-of-service).

References:
https://lists.gnu.org/archive/html/libmicrohttpd/2023-02/msg00000.html
========================

Updated packages in core/updates_testing:
========================
lib(64)microhttpd12-0.9.72-1.1.mga8
lib(64)microhttpd-devel-0.9.72-1.1.mga8

from SRPM:
libmicrohttpd-0.9.72-1.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

No installation issues.

A search for a previous bug revealed just one, reaching all the way back to Mageia 3, bug 11936. That did show a test procedure, but it seems that the package that provided the command, microspdy2http, is no longer in Mageia. So, no help there.

Urpmq --whatrequires showed systemd and Kodi as needing the package, so after a reboot of the test system to "reset" systemd, I tried each of them.

With an strace of Kodi, I set up the weather app to get a forecast for New York City (Apparently Syracuse, the city closest to me, isn't available) and the weather looked to be relatively nice. I then watched several different IPTV channels, all of which worked except for those labeled as "geo-blocked." I didn't see any issues with what I did, but then an examination of the resulting strace file didn't show any reference to libmicrohttpd that kwrite could find.

So I tried some systemd commands. Since I'm treading over largely unfamiliar territory there, I kept it to commands that should be relatively harmless. I listed all the unit files, but didn't see anything there that jumped out at me as having to do with a server. An attempt to enable the httpd service informed me that it didn't exist. (As it should: Apache isn't installed.)

I checked the status of some units that *are* there, and the answers were all what I expected them to be. I did not muck about with enabling or disabling things that I don't understand.

That's about as far as I can go with what I know. Systemd didn't crash the system, which I consider a definite plus.

I wouldn't mind giving this an OK based on what little I did, but would feel better if someone who is more familiar with this sort of thing could take a look at it.

CC: (none) => andrewsfarm

Testing on MGA8 Plasma system on an HP Probook 6550b.

Completely overthinking the whole thing in the last comment. 

It seems that another app that requires this library is psensor, used to set up a minimal http server. So, after doing some reading...

[tom@localhost ~]$ psensor-server
[(null)] [ERR] Cannot open log file: /var/log/psensor-server.log
[(null)] [ERR] hddtemp: failed to open connection.
[(null)] [INFO] BCM2835: The BCM2835 has not been detected.
[(null)] [INFO] Web server started on port: 3131
[(null)] [INFO] WWW directory: /usr/share/psensor/www
[(null)] [INFO] URL: http://localhost:3131

I think the first "err" was from not running as root. Not sure about the second, but I don't believe it is related to the library under test.

Pointing Firefox to the above url showed a page giving information from the various sensors that psensor monitors on this laptop. An strace of the process shows one call to "/lib64/libmicrohttpd.so.12" early in the process.

So, it appears to work. Giving this an OK, and validating. Advisory in comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0114.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

This is CVE-2023-27371:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014231.html

Summary: libmicrohttpd new security issue fixed upstream in 0.9.76 => libmicrohttpd new security issue fixed upstream in 0.9.76 (CVE-2023-27371)