Summary: | <sys-libs/libosinfo-1.6.0: Credential leak (CVE-2019-13313) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2019/07/08/3 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
sys-apps/osinfo-db-tools-1.6.0-r1
sys-libs/libosinfo-1.6.0
sys-apps/osinfo-db-20200214
|
Runtime testing required: | --- |
Description
Sam James
2020-03-02 16:34:45 UTC
1.6.0 appears to just deprecate this way of passing the credentials. Now what is actually passing them like that is the real question, I'd think. I don't mind stabilizing a newer version on the pretext of security, but that doesn't mean other stuff calling osinfo-install-script now suddenly doesn't put the password into the process commandline anymore. So lets stable anyways as we are so behind on libosinfo, and there have been no bug reports that I know of for a week for this version. osinfo-db I usually ALLARCHES myself, but due to the huge jump and some test cases moving churn upstream lets include it in the batch without ALLARCHES this time. x86 stable amd64 stable arm64 stable Repository is clean, all done! |