From ${URL} : > [] https://github.com/libevent/libevent/issues/317 > libevent dns remote stack overread vulnerability Use CVE-2016-10195. > [] https://github.com/libevent/libevent/issues/318 > libevent (stack) buffer overflow in evutil_parse_sockaddr_port() Use CVE-2016-10196. > [] https://github.com/libevent/libevent/issues/332 > out-of-bounds read in search_make_new() Use CVE-2016-10197. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
" Libevent 2.1.6 fixed three bugs that may have security implications. Can you assign CVE IDs as appropriate? " says the cited parent. 2.1.6 was a beta release from August 2016. We have since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5 was removed as well. All done?
(In reply to Jeroen Roovers from comment #1) > says the cited parent. 2.1.6 was a beta release from August 2016. We have > since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5 > was removed as well. > > All done? Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in this case. Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a little bit?
(In reply to Thomas Deutschmann from comment #2) > Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in > this case. Only if 2.0.22 is vulnerable. > Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a > little bit? Arch teams, please test and mark stable: =dev-libs/libevent-2.1.8 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
amd64 stable
arm ppc ppc64 stable.
Except that I had to mask 2.1.8 to emerge nfs-utils and ntp... dev-libs/libevent:0 (dev-libs/libevent-2.1.8:0/2.1-6::gentoo, ebuild scheduled for merge) conflicts with <=dev-libs/libevent-2.1 required by (net-fs/nfs-utils-1.3.1-r5:0/0::gentoo, installed) ^^ ^^^ >=dev-libs/libevent-2.0.9:0/0=[threads] required by (net-misc/ntp-4.2.8_p9:0/0::gentoo, installed) ^^^^^
Stable for HPPA.
(In reply to Stéphane BARBARAY from comment #6)
alpha/ia64 stable
Stable for AMD64 x86.
Arches, Thank you for your work. Can no longer wait on sparc as it is affecting release of GLSA. New GLSA Request filed. Please stabilize sparc.
This issue was resolved and addressed in GLSA 201705-01 at https://security.gentoo.org/glsa/201705-01 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for sparc and cleanup.
sparc - please stabilize or move to ~sparc. Maintainer(s), please drop the vulnerable version(s).
Ping: This report still open since 05/17 any news? Security Team Padawan ChrisADR
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9 @maintainer(s), please cleanup.
sparc stable (thanks to Rolf Eike Beer)
Stabilization has been completed, all vulnerable versions have been removed from the tree.