Bug 35293 - freeimpi new security issue CVE-2026-33554
Summary: freeimpi new security issue CVE-2026-33554
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-30 15:23 CEST by Nicolas Salguero
Modified: 2026-04-01 01:08 CEST (History)
3 users (show)

See Also:
Source RPM: freeipmi-1.6.10-2.mga9.src.rpm
CVE: CVE-2026-33554
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-30 15:23:57 CEST 
openSUSE has issued an advisory on March 29:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CMUSXA2JYCKVIWVK4S4VIC7PKTX2BCXY/
Comment 1 Nicolas Salguero 2026-03-30 15:25:45 CEST 
Fixed by: https://cgit.git.savannah.gnu.org/cgit/freeipmi.git/commit/?id=b03ca4d1bff4626c11db8684564b88cd26a2425d

Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-33554
Source RPM: (none) => freeipmi-1.6.16-1.mga10.src.rpm, freeipmi-1.6.10-2.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.6.17 and patch available from upstream

Comment 2 Nicolas Salguero 2026-03-30 16:15:19 CEST 
For Cauldron, freeipmi-1.6.16-2.mga10 fixes the issue.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. (CVE-2026-33554)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CMUSXA2JYCKVIWVK4S4VIC7PKTX2BCXY/
========================

Updated packages in core/updates_testing:
========================
freeipmi-1.6.10-2.1.mga9
freeipmi-fish-1.6.10-2.1.mga9
freeipmi-utils-1.6.10-2.1.mga9
lib(64)freeipmi-devel-1.6.10-2.1.mga9
lib(64)freeipmi17-1.6.10-2.1.mga9
lib(64)ipmiconsole2-1.6.10-2.1.mga9
lib(64)ipmidetect0-1.6.10-2.1.mga9
lib(64)ipmimonitoring6-1.6.10-2.1.mga9

from SRPM:
freeipmi-1.6.10-2.1.mga9.src.rpm

Status comment: Fixed upstream in 1.6.17 and patch available from upstream => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Flags: affects_mga9+ => (none)
Source RPM: freeipmi-1.6.16-1.mga10.src.rpm, freeipmi-1.6.10-2.mga9.src.rpm => freeipmi-1.6.10-2.mga9.src.rpm
Status: NEW => ASSIGNED

katnatek 2026-03-31 02:51:24 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2026-03-31 03:52:46 CEST 
installing freeipmi-1.6.10-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/1: freeipmi              ###################################################################################################
      1/1: removing freeipmi-1.6.10-2.mga9.x86_64
                                 ###################################################################################################
[root@jgrey ~]# LC_ALL=C urpmi freeipmi-utils
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  freeipmi-utils                 1.6.10       2.1.mga9      x86_64  
  lib64freeipmi17                1.6.10       2.1.mga9      x86_64  
  lib64ipmiconsole2              1.6.10       2.1.mga9      x86_64  
  lib64ipmidetect0               1.6.10       2.1.mga9      x86_64  
8.1MB of additional disk space will be used.
1.6MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) y


installing lib64freeipmi17-1.6.10-2.1.mga9.x86_64.rpm freeipmi-utils-1.6.10-2.1.mga9.x86_64.rpm lib64ipmiconsole2-1.6.10-2.1.mga9.x86_64.rpm lib64ipmidetect0-1.6.10-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/4: lib64freeipmi17       ###################################################################################################
      2/4: lib64ipmiconsole2     ###################################################################################################
      3/4: lib64ipmidetect0      ###################################################################################################
      4/4: freeipmi-utils        ###################################################################################################

Let in clean install feel free to provide other test
Comment 4 Herman Viaene 2026-03-31 16:19:31 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Have been googling arounr to find a simple test, but ipmi seems to be an ecosystem on its own, where these packages are only part of.
So IMHO, I agree to let go

Flags: (none) => test_passed_mga9_64+
CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2026-03-31 18:28:43 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-04-01 01:08:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0078.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.