Ubuntu has issued an advisory today (April 4): https://ubuntu.com/security/notices/USN-5997-1 The issue is fixed upstream in 1.8.19. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.8.19Whiteboard: (none) => MGA8TOO
Assigning to our registered ipmitool maintainer.
Assignee: bugsquad => makowski.mageiaCC: (none) => marja11
Phillipe isn't currently active with packaging.
Assignee: makowski.mageia => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19. (CVE-2020-5208) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5208 https://ubuntu.com/security/notices/USN-5997-1 ======================== Updated package in core/updates_testing: ======================== ipmitool-1.8.18-7.1.mga8 from SRPM: ipmitool-1.8.18-7.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 1.8.19 => (none)Version: Cauldron => 8Source RPM: ipmitool-1.8.18-9.mga9.src.rpm => ipmitool-1.8.18-7.mga8.src.rpmCVE: (none) => CVE-2020-5208Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNED
mga8, x64 Earlier attempts to treat this (bug 26218) failed for the lack of an Intelligent Platform Management Interface. There might be such a device on other machines here. Shall have a look later. Such a thing should be apparent in the BIOS I would have thought.
CC: (none) => tarazed25
Found no IPMI devices so far. Going for a clean install. $ rpm -q ipmitool ipmitool-1.8.18-7.1.mga8 # chkconfig ipmi on systemd $ ipmitool mc info Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory
Whiteboard: (none) => MGA8-64-OK
In my line of work "IPM" stands for "Integrated Pest Management." Realizing that doesn't apply here, I read the Wikipedia article on IPMI. What little I understood didn't sound like hardware that anyone in QA is likely to have, so I agree with Len on the clean install. Validating. Advisory in comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0135.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED