Summary: | <dev-libs/libevent-2.1.7_rc: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jer, rich0 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/02/02/7 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: |
=dev-libs/libevent-2.1.8
|
Runtime testing required: | --- |
Bug Depends on: | 608180 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2017-02-02 13:43:08 UTC
" Libevent 2.1.6 fixed three bugs that may have security implications. Can you assign CVE IDs as appropriate? " says the cited parent. 2.1.6 was a beta release from August 2016. We have since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5 was removed as well. All done? (In reply to Jeroen Roovers from comment #1) > says the cited parent. 2.1.6 was a beta release from August 2016. We have > since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5 > was removed as well. > > All done? Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in this case. Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a little bit? (In reply to Thomas Deutschmann from comment #2) > Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in > this case. Only if 2.0.22 is vulnerable. > Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a > little bit? Arch teams, please test and mark stable: =dev-libs/libevent-2.1.8 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable arm ppc ppc64 stable. Except that I had to mask 2.1.8 to emerge nfs-utils and ntp... dev-libs/libevent:0 (dev-libs/libevent-2.1.8:0/2.1-6::gentoo, ebuild scheduled for merge) conflicts with <=dev-libs/libevent-2.1 required by (net-fs/nfs-utils-1.3.1-r5:0/0::gentoo, installed) ^^ ^^^ >=dev-libs/libevent-2.0.9:0/0=[threads] required by (net-misc/ntp-4.2.8_p9:0/0::gentoo, installed) ^^^^^ Stable for HPPA. (In reply to Stéphane BARBARAY from comment #6) alpha/ia64 stable Stable for AMD64 x86. Arches, Thank you for your work. Can no longer wait on sparc as it is affecting release of GLSA. New GLSA Request filed. Please stabilize sparc. This issue was resolved and addressed in GLSA 201705-01 at https://security.gentoo.org/glsa/201705-01 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for sparc and cleanup. sparc - please stabilize or move to ~sparc. Maintainer(s), please drop the vulnerable version(s). Ping: This report still open since 05/17 any news? Security Team Padawan ChrisADR sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9 @maintainer(s), please cleanup. sparc stable (thanks to Rolf Eike Beer) Stabilization has been completed, all vulnerable versions have been removed from the tree. |