33057 – dnf5daemon-server new security issues CVE-2024-1930 and CVE-2024-2746 (incomplete fix for CVE-2024-1929)

Bug 33057 - dnf5daemon-server new security issues CVE-2024-1930 and CVE-2024-2746 (incomplete fix for CVE-2024-1929)

Summary: dnf5daemon-server new security issues CVE-2024-1930 and CVE-2024-2746 (incomp...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-04 10:03 CEST by Nicolas Salguero
Modified:	2024-04-05 08:15 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	dnf5-5.1.13-1.mga10.src.rpm
CVE:	CVE-2024-1930, CVE-2024-2746
Status comment:	fixed in version 5.1.17

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-04 10:03:34 CEST

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/03/04/2
https://www.openwall.com/lists/oss-security/2024/04/03/5

They are fixed in version 5.1.17.

Nicolas Salguero 2024-04-04 10:03:50 CEST

CVE: (none) => CVE-2024-1930, CVE-2024-2746
Source RPM: (none) => dnf5-5.1.13-1.mga10.src.rpm

Comment 1 Lewis Smith 2024-04-04 21:27:54 CEST

Nicolas has already put version 5.1.17 in Cauldron.
Jani is working on the 32-bit build.
If this does not apply to Mageia 9, the bug can be closed/fixed once correctly built.
If it does apply to M9, please add that to Whiteboard; and assign to pkg-bugs for M9.

Status comment: (none) => fixed in version 5.1.17
CC: (none) => jani.valimaa

Comment 2 Nicolas Salguero 2024-04-05 08:15:21 CEST

Fixed with dnf5-5.1.17-3.mga10.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.