From ${URL} : A long time ago, we looked at the low-level data marshaling code in the database server, and found quite a few memory safety issues. We also encountered server crashes and problems which looked like race conditions, affecting server stability. KDE uses a private UNIX domain socket to communicate with a user-specific database server, but the database server can be accessed over TCP as well. Upstream did not release a security advisory, but alluded to the fixes in release announcement: <http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews#Client%20RPC> And in commit messages: <https://github.com/openlink/virtuoso-opensource/commits/develop/6/libsrc/Dk> We have not assigned CVE identifiers because the number of different crashes we saw was fairly large, and we could not completely understand how the RPC implementation is pieced together. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Best I can do here is stable 6.1.8, since it at least got some of those fixes--we cannot move to 7 since upstream completely dropped non-amd64 support. Arches, please stabilize: =dev-db/virtuoso-odbc-6.1.8 =dev-db/virtuoso-server-6.1.8 Target arches: amd64 ppc ppc64 x86
(In reply to Chris Reffett from comment #1) > Best I can do here is stable 6.1.8, since it at least got some of those > fixes--we cannot move to 7 since upstream completely dropped non-amd64 > support. This bug affects also EPEL6 (https://bugzilla.redhat.com/show_bug.cgi?id=1219016) They runs 6.1.6 and I guess they will backport the security fixes. Do we want to give them an opportunity?
Sure.
This package has been masked for removal.
Packages removed from tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49c964c862865ba64f1a63508a8cc6ddf588e575 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b8e1118cc57cbd0f1d08eba405f8a3e6e62a84a
Please do not close security bugs.
New GLSA Request filed. Gentoo Security Padawan ChrisADR
Very vague reports. Downgrading to B3 as no PoC for ACE/RCE.
NO CVE as per: ______________________________ We have not assigned CVE identifiers because the number of different crashes we saw was fairly large, and we could not completely understand how the RPC implementation is pieced together. ______________________________