See ${URL} @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28eb1ec656863308d99790290560cdf2d15fd02 commit c28eb1ec656863308d99790290560cdf2d15fd02 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-05-20 18:48:50 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-05-20 18:49:10 +0000 sys-process/procps: Security bump to version 3.3.15 Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.38, Repoman-2.3.9 sys-process/procps/Manifest | 1 + sys-process/procps/procps-3.3.15.ebuild | 81 +++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+)
(In reply to Larry the Git Cow from comment #1) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=c28eb1ec656863308d99790290560cdf2d15fd02 > > commit c28eb1ec656863308d99790290560cdf2d15fd02 > Author: Lars Wendler <polynomial-c@gentoo.org> > AuthorDate: 2018-05-20 18:48:50 +0000 > Commit: Lars Wendler <polynomial-c@gentoo.org> > CommitDate: 2018-05-20 18:49:10 +0000 > > sys-process/procps: Security bump to version 3.3.15 > > Bug: https://bugs.gentoo.org/656022 > Package-Manager: Portage-2.3.38, Repoman-2.3.9 > > sys-process/procps/Manifest | 1 + > sys-process/procps/procps-3.3.15.ebuild | 81 > +++++++++++++++++++++++++++++++++ > 2 files changed, 82 insertions(+) ebuild can not apply patches properly, please revisit >>> Preparing source in /var/tmp/tmpfs/portage/sys-process/procps-3.3.15/work/procps-ng-3.3.15 ... * Applying procps-3.3.8-kill-neg-pid.patch ... 2 out of 2 hunks FAILED -- saving rejects to file skill.c.rej [ !! ]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fbfaa56c2cefa7f97153efe097a003a9132ab05 commit 6fbfaa56c2cefa7f97153efe097a003a9132ab05 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-23 16:30:36 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-23 18:37:29 +0000 sys-process/procps: stable 3.3.15-r1 for sparc Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" sys-process/procps/procps-3.3.15-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90ff196c2b7b43b0ca9f1f43713cd90aff01573a commit 90ff196c2b7b43b0ca9f1f43713cd90aff01573a Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-05-23 19:03:42 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-23 19:03:48 +0000 sys-process/procps: stable 3.3.15-r1 for ia64, bug #656022 Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.38, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" sys-process/procps/procps-3.3.15-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ppc64 stable
ppc stable
x86 stable
arm64 stable
arm stable
alpha stable/old killed
GLSA Request filed
This issue was resolved and addressed in GLSA 201805-14 at https://security.gentoo.org/glsa/201805-14 by GLSA coordinator Aaron Bauman (b-man).
this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers that is confusing for users. Please, read upstream 3.3.15 release notes. Qualys analysis also clearly states what CVE's has the patches. https://gitlab.com/procps-ng/procps/tags/v3.3.15 The CVE fixed by version 3.3.15-r1 are: CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126 From Qualys audit: The kernel patch for CVE-2018-1120 is: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 There is currently no patch for CVE-2018-1121, because no satisfactory solution (secure and efficient) has been found. Please feel free to suggest ideas here!
Hi Oleg, (In reply to Oleg from comment #13) > this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers > that is confusing for users. Please, read upstream 3.3.15 release notes. > Qualys analysis also clearly states what CVE's has the patches. > https://gitlab.com/procps-ng/procps/tags/v3.3.15 > > The CVE fixed by version 3.3.15-r1 are: > > CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126 > > From Qualys audit: > > > The kernel patch for CVE-2018-1120 is: > https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 > > There is currently no patch for CVE-2018-1121, because no satisfactory > solution (secure and efficient) has been found. Please feel free to > suggest ideas here! Thanks for spotting this issue, we are fixing the CVEs listed in said GLSA and will create a separate report to handle CVE-2018-1121. Thank you,
