CVE-2025-31160 was announced here: https://www.openwall.com/lists/oss-security/2025/03/26/2 https://www.openwall.com/lists/oss-security/2025/03/26/3 https://rachelbythebay.com/w/2025/03/26/atop/ https://news.ycombinator.com/item?id=43485980 https://news.ycombinator.com/item?id=43477057 It seems that, for the moment, there is no fix yet and the advice is, do not use atop and, more important, do not run any binary from atop package as root.
Another CVE with no fix yet. Recognising that it is unfair, assigning to DavidG as the main updater of this package.
Status: NEW => UPSTREAMAssignee: bugsquad => geiger.david68210Source RPM: (none) => atop
Some new information here: https://www.openwall.com/lists/oss-security/2025/03/29/1
Source RPM: atop => atop-2.11.0-1.mga10.src.rpm, atop-2.8.1-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-31160
Upstream has issued an new version 2.11.1 to fix CVE-2025-31160. See: https://www.atoptool.nl/downloadatop.php. Moreover, they provide a patch: https://www.atoptool.nl/download/fix-cve-2025-31160-v2.11.patch openSUSE has issued an advisory on April 1: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3K7T3QBXEP6TWTVJEMB47AVS2B2R5O5V/
Status: UPSTREAM => ASSIGNEDStatus comment: (none) => Fixed upstream in 2.11.1 and patch available from upstream
Cauldron already has version 2.11.1.
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: atop-2.11.0-1.mga10.src.rpm, atop-2.8.1-1.mga9.src.rpm => atop-2.8.1-1.mga9.src.rpm
Debian has issued an advisory on April 3: https://lists.debian.org/debian-security-announce/2025/msg00054.html
Status comment: Fixed upstream in 2.11.1 and patch available from upstream => Fixed upstream in 2.11.1 and patch available from upstream and Debian
Suggested advisory: ======================== The updated package fixes a security vulnerability: atop through 2.11.0 allows local users to cause a denial of service (e.g., assertion failure and application exit) or possibly have unspecified other impact by running certain types of unprivileged processes while a different user runs atop. (CVE-2025-31160) References: https://www.openwall.com/lists/oss-security/2025/03/26/2 https://www.openwall.com/lists/oss-security/2025/03/26/3 https://rachelbythebay.com/w/2025/03/26/atop/ https://news.ycombinator.com/item?id=43485980 https://news.ycombinator.com/item?id=43477057 https://www.openwall.com/lists/oss-security/2025/03/29/1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3K7T3QBXEP6TWTVJEMB47AVS2B2R5O5V/ https://lists.debian.org/debian-security-announce/2025/msg00054.html ======================== Updated package in core/updates_testing: ======================== atop-2.8.1-1.1.mga9 from SRPM: atop-2.8.1-1.1.mga9.src.rpm
Status comment: Fixed upstream in 2.11.1 and patch available from upstream and Debian => *Assignee: geiger.david68210 => qa-bugs
Status comment: * => (none)
Installed and tested without issues. Did some quick tests and it seems to be working correctly. System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.83-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 16 01:09:35 UTC 2025 x86_64 GNU/Linux $ rpm -q atop atop-2.8.1-1.1.mga9
CC: (none) => mageia
This update has been working without issues for the past three days so I'm marking it as OK for x86_64. Please if appropriate.
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0129.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED