Summary: | dev-php/awl: Multiple vulnerabilities (CVE-2020-{11728,11729}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | mjo, php-bugs, proxy-maint, till2.schaefer |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.com/davical-project/awl/-/commit/6bdacad0b4fc51583c040d3bbefdd052ed863611 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=718750 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-04-21 12:09:13 UTC
It looks like an easy fix. These are the only changes in v0.61: 2020-04-13 Florian Schlichting <fsfs@debian.org> * release awl 0.61 * Update AUTHORS and ChangeLog 2020-04-04 Florian Schlichting <fsfs@debian.org> * Disallow current time as a session key (fix: #19, CVE-2020-11728) * Drop LSIDLogin function (fix: #18, CVE-2020-11729) 2019-02-27 Jamie McClymont <jamiemcclymont@catalyst.net.nz> * Make olson_from_tzstring faster by caching timezone_identifiers_list 2019-12-06 Florian Schlichting <fsfs@debian.org> * myComponentTest.php: drop empty setUp function, which causes make test to fail with PHPUnit 8 * use foreach() instead of deprecated each() (see davical-project/davical#190) 2019-01-30 Florian Schlichting <fsfs@debian.org> * release awl 0.60 * Update AUTHORS and ChangeLog The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9eab139bd32fb43fb2d42f02a942a1e2baccfebd commit 9eab139bd32fb43fb2d42f02a942a1e2baccfebd Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-04-21 13:37:04 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-04-21 13:38:45 +0000 dev-php/awl: remove old vulnerable versions. Bug: https://bugs.gentoo.org/718736 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/awl/Manifest | 2 -- dev-php/awl/awl-0.59.ebuild | 33 --------------------------------- dev-php/awl/awl-0.60.ebuild | 33 --------------------------------- 3 files changed, 68 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53db769dc5145930f52953843761c4b81225060c commit 53db769dc5145930f52953843761c4b81225060c Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-04-21 13:36:00 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-04-21 13:38:44 +0000 dev-php/awl: new v0.61 to address CVE-2020-{11728,11729}. Bug: https://bugs.gentoo.org/718736 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/awl/Manifest | 1 + dev-php/awl/awl-0.61.ebuild | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) All done. Thanks mjo, very quick. :) uh, davical needs to be updated to 1.1.9.3 at the same time, which is the only reason for awl to exist in the portage tree afaik .. why not wait a day for the proxy maintainer to comment on this? see https://gitlab.com/davical-project/davical/-/commit/55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50e70c (In reply to Till Schäfer from comment #5) > uh, davical needs to be updated to 1.1.9.3 at the same time, which is the > only reason for awl to exist in the portage tree afaik .. > why not wait a day for the proxy maintainer to comment on this? > > see > https://gitlab.com/davical-project/davical/-/commit/ > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50 > e70c will create a pull request on github (In reply to Till Schäfer from comment #5) > uh, davical needs to be updated to 1.1.9.3 at the same time, which is the > only reason for awl to exist in the portage tree afaik .. > why not wait a day for the proxy maintainer to comment on this? > > see > https://gitlab.com/davical-project/davical/-/commit/ > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50 > e70c I saw a vulnerability in AWL and reported it. I hadn't seen DAViCal is also in tree. Obviously this has already been cleaned up so this needs a new bug. I assume DAViCal isn't vulnerable, just currently left in a broken state? If it depends on a specific version, it should be specified in the ebuild (is it? have not checked) so removals would trigger a CI problem. Typically, davical is compatible with newer awl version, thus there is a >= dependency. But this time LSID was removed. create Bug 718750 to track this. (In reply to Till Schäfer from comment #5) > why not wait a day for the proxy maintainer to comment on this? > > see > https://gitlab.com/davical-project/davical/-/commit/ > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50 > e70c I apologize, I tested the update on our davical-1.1.8 and it didn't hurt anything. That commit above looks only cosmetic? In any case, I didn't mean to step on your toes, just stuck at home overly-bored. (In reply to Michael Orlitzky from comment #9) > (In reply to Till Schäfer from comment #5) > > why not wait a day for the proxy maintainer to comment on this? > > > > see > > https://gitlab.com/davical-project/davical/-/commit/ > > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50 > > e70c > > I apologize, I tested the update on our davical-1.1.8 and it didn't hurt > anything. That commit above looks only cosmetic? In any case, I didn't mean > to step on your toes, just stuck at home overly-bored. I guess it is not utterly broken, just some corner cases. Just created the pull request (see the referenced bug). All fine, stay healthy! Thee is no need for another virus stepping through a awl vulnerability here, too :). BTW: is there a reason you are sticking with an outdated, not in tree version of davical with other security flaws (e.g. CVE-2019-18345)? If so, please report a bug report (maybe it is fixable from my side). (In reply to Till Schäfer from comment #10) > > BTW: is there a reason you are sticking with an outdated, not in tree > version of davical with other security flaws (e.g. CVE-2019-18345)? If so, > please report a bug report (maybe it is fixable from my side). Personal laziness, I'll upgrade today, I promise. |