SUSE has issued an advisory on April 8: https://lwn.net/Articles/968975/ The problem is fixed in 32.0.1. Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 32.0.1Source RPM: (none) => guava-31.0.1-3.mga9.src.rpmCVE: (none) => CVE-2020-8908, CVE-2023-2976
Assigning globally, & CC'ing NicolasL who is a recent comitter of this.
Assignee: bugsquad => pkg-bugsCC: (none) => mageia
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A bug that could allow an attacker with access to the machine to potentially access data in a temporary directory created by the Guava. (CVE-2020-8908) Predictable temporary files and directories used in FileBackedOutputStream. (CVE-2023-2976) References: https://lwn.net/Articles/968975/ ======================== Updated packages in core/updates_testing: ======================== guava-32.0.1-1.mga9 guava-javadoc-32.0.1-1.mga9 guava-testlib-32.0.1-1.mga9 from SRPM: guava-32.0.1-1.mga9.src.rpm
Version: Cauldron => 9Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 32.0.1 => (none)Whiteboard: MGA9TOO => (none)
Mageia9, x86_64 guava runs in an environment including Google and java and could be relevant to Android. For a complete outsider it is difficult to figure out exactly what its purpose or function is. /usr/share/doc/guava/README.md is not very helpful but these links may be: [guava-snapshot-api-docs]: https://guava.dev/releases/snapshot-jre/api/docs/ [guava-snapshot-api-diffs]: https://guava.dev/releases/snapshot-jre/api/diffs/ [Guava Explained]: https://github.com/google/guava/wiki/Home [Guava Beta Checker]: https://github.com/google/guava-beta-checker [using Guava in your build]: https://github.com/google/guava/wiki/UseGuavaInYourBuild [repackage]: https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-if-i-want-to-use-beta-apis-from-a-library-that-people-use-as-a-dependency [guava-deps]: https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies FWIW the packages update cleanly. $ urpmq --whatrequires guava auto-common auto-service auto-value clojure-maven-plugin google-guice guava guava-testlib protobuf-java-util truth xmvn-minimal There is a package /usr/share/java/google-guice-no_aop.jar. guava-testlib has something to do with unit testing, strictly for developers. Installed xmvn-minimal which turns out to be developer territory concerning maven and openjdk17. Leaving this on hold in case anybody else wants to have a look at it.
CC: (none) => tarazed25
This is useful: https://github.com/google/guava/wiki/PhilosophyExplained That makes it clear that this is for developers so not really testable by QA so it should be sent on.
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Keywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0159.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED