See here: https://github.com/xrootd/xrootd/commit/fff97c2dc6703dc1ba8b28b1bf67eeb278ff3e22 In major version 5 this has already been fixed, in 5.0.2. For version 4, it looks like it will be safe to backport the patch. Will have to fast-stabilise =net-libs/xrootd-4.12.3-r1 once I have pushed it into the tree (would rather not stabilise 5 just yet), it is not entirely backwards-compatible.
Correction to the stabilisation request: 4.12.4 has already been released so I'll patch that one before pushing it into the tree instead of revbumping 4.12.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c29254e32859af457652108a47db8060cc325ce commit 0c29254e32859af457652108a47db8060cc325ce Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:40:41 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:49 +0000 net-libs/xrootd: remove old Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 2 - net-libs/xrootd/xrootd-5.0.0.ebuild | 116 ------------------------------------ net-libs/xrootd/xrootd-5.0.1.ebuild | 116 ------------------------------------ 3 files changed, 234 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2 commit 4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:38:21 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:45 +0000 net-libs/xrootd: bump to 4.12.4 Also includes the http-key-leakage patch backported from 5.0.2. Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 2 +- .../files/xrootd-4.12.4-http_secret_leakage.patch | 41 ++++++++++++++++++++++ .../{xrootd-4.12.3.ebuild => xrootd-4.12.4.ebuild} | 8 +++-- 3 files changed, 48 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b4d25e3bdef5c85035f5c2c6b631eee30e4733c commit 6b4d25e3bdef5c85035f5c2c6b631eee30e4733c Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:18:34 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:42 +0000 net-libs/xrootd: bump to 5.0.2 Among other things, this fixes potential secret-key leakage in HTTP mode. Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 1 + net-libs/xrootd/xrootd-5.0.2.ebuild | 116 ++++++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+)
Following the bumps and the clean-up, 4.12.0 is now the only potentially vulnerable version in the tree. It will be removed once =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised. [1] In theory net-libs/xrootd-ceph-4.10.0 should work with net-libs/xrootd-4.14.4 as long as they have both been built with the same g++ version, better to update them in sync though.
(In reply to Marek Szuba from comment #3) > Following the bumps and the clean-up, 4.12.0 is now the only potentially > vulnerable version in the tree. It will be removed once > =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised. > > [1] In theory net-libs/xrootd-ceph-4.10.0 should work with > net-libs/xrootd-4.14.4 as long as they have both been built with the same > g++ version, better to update them in sync though. Excellent. Please use this bug for the stabilisation when you’re ready!
(In reply to Sam James from comment #4) > (In reply to Marek Szuba from comment #3) > > Following the bumps and the clean-up, 4.12.0 is now the only potentially > > vulnerable version in the tree. It will be removed once > > =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised. > > > > [1] In theory net-libs/xrootd-ceph-4.10.0 should work with > > net-libs/xrootd-4.14.4 as long as they have both been built with the same > > g++ version, better to update them in sync though. > > Excellent. Please use this bug for the stabilisation when you’re ready! Ready?
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Guess this was done some time ago: commit 059cc5d6a7a5a6748dff01ce355c47dde1ccde69 Author: Marek Szuba <marecki@gentoo.org> Date: Fri Oct 16 12:49:59 2020 +0200 net-libs/xrootd: remove old Signed-off-by: Marek Szuba <marecki@gentoo.org> delete mode 100644 net-libs/xrootd/xrootd-4.12.0.ebuild Still needs vote.
Unable to check for sanity: > no match for package: net-libs/xrootd-4.12.4
Package list is empty or all packages have requested keywords.
This seems to be of minimal impact, no GLSA.
