Summary: | <dev-libs/librdkafka-1.4.0: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | Flags: | nattka:
sanity-check+
|
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/edenhill/librdkafka/releases/tag/v1.4.0 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: |
dev-libs/librdkafka-1.4.0 amd64 arm hppa x86
|
Runtime testing required: | --- |
arm64 stable amd64 stable arm stable x86 stable GLSA Vote: No hppa stable @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d43aca579cd3e0fa62569c2030f82db85c9bcb8e commit d43aca579cd3e0fa62569c2030f82db85c9bcb8e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-30 23:36:00 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-30 23:36:09 +0000 dev-libs/librdkafka: security cleanup Bug: https://bugs.gentoo.org/717704 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/librdkafka/Manifest | 4 -- ...librdkafka-1.1.0-remove-automagic-on-zstd.patch | 29 -------- dev-libs/librdkafka/librdkafka-1.1.0.ebuild | 78 ---------------------- dev-libs/librdkafka/librdkafka-1.2.1.ebuild | 76 --------------------- dev-libs/librdkafka/librdkafka-1.2.2.ebuild | 76 --------------------- dev-libs/librdkafka/librdkafka-1.3.0.ebuild | 76 --------------------- 6 files changed, 339 deletions(-) Repository is clean, all done! |
From $URL: > Security fixes > > Two security issues have been identified in the SASL SCRAM protocol handler: > > The client nonce, which is expected to be a random string, was a static string. > If sasl.username and sasl.password contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion. > > Both of these issues are fixed in this release.