CVE-2024-24806 was announced here: https://www.openwall.com/lists/oss-security/2024/02/08/2 https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 It is fixed in version 1.48.0 and with the following commits: https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629 https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70 https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39 Mageia 9 is also affected.
Status comment: (none) => Patches available from upstream and fixed upstream in 1.48.0CVE: (none) => CVE-2024-24806Source RPM: (none) => libuv-1.47.0-1.mga10.src.rpmWhiteboard: (none) => MGA9TOO
Stig currently does version upgrades for this, so assigning to you. I am unsure of the significance of "fixed in version 1.48.0 and with the following commits": does one need both? or is it a choice between the two? If the latter, the new version alone is the answer; otherwise new version + patches. Nicolas: can you clarify?
Assignee: bugsquad => smelror
(In reply to Lewis Smith from comment #1) > I am unsure of the significance of "fixed in version 1.48.0 and with the > following commits": does one need both? or is it a choice between the two? > If the latter, the new version alone is the answer; otherwise new version + > patches. Sorry for not being clear. I meant: "version 1.48.0 fixed the issue by including the listed commits". So, for Cauldron, we need to update to version 1.48.0 and, for Mageia 9, if we do not want to update to version 1.48.0, we need to add (maybe backport) the patches given by the commits.
Suggested advisory: ======================== The updated packages fix a security vulnerability: It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. (CVE-2024-24806) References: https://www.openwall.com/lists/oss-security/2024/02/08/2 https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 https://lists.debian.org/debian-security-announce/2024/msg00044.html ======================== Updated packages in core/updates_testing: ======================== lib64uv1-1.44.2-2.1.mga9 lib64uv-devel-1.44.2-2.1.mga9 lib64uv-static-devel-1.44.2-2.1.mga9 from SRPM: libuv-1.44.2-2.1.mga9.src.rpm
Assignee: smelror => qa-bugsVersion: Cauldron => 9Source RPM: libuv-1.47.0-1.mga10.src.rpm => libuv-1.44.2-2.mga9.src.rpmStatus comment: Patches available from upstream and fixed upstream in 1.48.0 => (none)Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNED
Keywords: (none) => advisory
MGA9-64 Plasma. No installation issues. Stumbled through testing as in Bug #29231, by using strace and neovim. Not knowing the commands at all, I made a mess of things of an old text file that fortunately no longer has relevance. Eventually I closed the window and searched the resulting strace file, finding one instance of opening libuv1.so.1 That was good enough for an OK then, so it's good enough now. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0079.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED