Bug 35348 - perl-Net-CIDR-Lite new security issues CVE-2026-40198 and CVE-2026-40199
Summary: perl-Net-CIDR-Lite new security issues CVE-2026-40198 and CVE-2026-40199
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-04-13 09:12 CEST by Nicolas Salguero
Modified: 2026-05-07 07:08 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Net-CIDR-Lite-0.220.0-2.mga9.src.rpm
CVE: CVE-2026-40198, CVE-2026-40199
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-04-13 09:13:08 CEST

CVE: (none) => CVE-2026-40198, CVE-2026-40199
Source RPM: (none) => perl-Net-CIDR-Lite-0.220.0-3.mga10.src.rpm, perl-Net-CIDR-Lite-0.220.0-2.mga9.src.rpm
Flags: (none) => affects_mga9+
Status comment: (none) => Fixed upstream in 0.23 (aka 0.230.0)
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2026-04-13 21:30:07 CEST 
A straight version update.

Assignee: bugsquad => perl

Comment 3 Nicolas Salguero 2026-04-30 13:28:21 CEST 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. (CVE-2026-40198)

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. (CVE-2026-40199)

References:
https://www.openwall.com/lists/oss-security/2026/04/11/1
https://www.openwall.com/lists/oss-security/2026/04/11/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKKSURTDDZIA5TCZ3QL5KFVFSKVVMRSQ/
========================

Updated package in core/updates_testing:
========================
perl-Net-CIDR-Lite-0.230.0-1.mga9

from SRPM:
perl-Net-CIDR-Lite-0.230.0-1.mga9.src.rpm

Status comment: Fixed upstream in 0.23 (aka 0.230.0) => (none)
Flags: affects_mga9+ => (none)
Source RPM: perl-Net-CIDR-Lite-0.220.0-3.mga10.src.rpm, perl-Net-CIDR-Lite-0.220.0-2.mga9.src.rpm => perl-Net-CIDR-Lite-0.220.0-2.mga9.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: perl => qa-bugs

katnatek 2026-05-02 18:30:19 CEST

Keywords: (none) => advisory

Comment 4 Herman Viaene 2026-05-04 14:56:03 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 29205
Checked that MCC - Networkcenter is not disturbed by it.
OK for me.

CC: (none) => herman.viaene

Herman Viaene 2026-05-04 14:56:45 CEST

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 5 Thomas Andrews 2026-05-05 17:09:02 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-05-07 07:08:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0115.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.