| Summary: | <net-libs/xrootd-4.12.4: potential secret-key leakage in HTTP mode | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Marek Szuba (RETIRED) <marecki> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ajak, sci-physics |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Marek Szuba (RETIRED)
2020-09-18 17:25:43 UTC
Correction to the stabilisation request: 4.12.4 has already been released so I'll patch that one before pushing it into the tree instead of revbumping 4.12.3. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c29254e32859af457652108a47db8060cc325ce commit 0c29254e32859af457652108a47db8060cc325ce Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:40:41 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:49 +0000 net-libs/xrootd: remove old Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 2 - net-libs/xrootd/xrootd-5.0.0.ebuild | 116 ------------------------------------ net-libs/xrootd/xrootd-5.0.1.ebuild | 116 ------------------------------------ 3 files changed, 234 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2 commit 4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:38:21 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:45 +0000 net-libs/xrootd: bump to 4.12.4 Also includes the http-key-leakage patch backported from 5.0.2. Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 2 +- .../files/xrootd-4.12.4-http_secret_leakage.patch | 41 ++++++++++++++++++++++ .../{xrootd-4.12.3.ebuild => xrootd-4.12.4.ebuild} | 8 +++-- 3 files changed, 48 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b4d25e3bdef5c85035f5c2c6b631eee30e4733c commit 6b4d25e3bdef5c85035f5c2c6b631eee30e4733c Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-09-18 17:18:34 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-09-18 17:43:42 +0000 net-libs/xrootd: bump to 5.0.2 Among other things, this fixes potential secret-key leakage in HTTP mode. Bug: https://bugs.gentoo.org/743391 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/xrootd/Manifest | 1 + net-libs/xrootd/xrootd-5.0.2.ebuild | 116 ++++++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) Following the bumps and the clean-up, 4.12.0 is now the only potentially vulnerable version in the tree. It will be removed once =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised.
[1] In theory net-libs/xrootd-ceph-4.10.0 should work with net-libs/xrootd-4.14.4 as long as they have both been built with the same g++ version, better to update them in sync though.
(In reply to Marek Szuba from comment #3) > Following the bumps and the clean-up, 4.12.0 is now the only potentially > vulnerable version in the tree. It will be removed once > =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised. > > [1] In theory net-libs/xrootd-ceph-4.10.0 should work with > net-libs/xrootd-4.14.4 as long as they have both been built with the same > g++ version, better to update them in sync though. Excellent. Please use this bug for the stabilisation when you’re ready! (In reply to Sam James from comment #4) > (In reply to Marek Szuba from comment #3) > > Following the bumps and the clean-up, 4.12.0 is now the only potentially > > vulnerable version in the tree. It will be removed once > > =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised. > > > > [1] In theory net-libs/xrootd-ceph-4.10.0 should work with > > net-libs/xrootd-4.14.4 as long as they have both been built with the same > > g++ version, better to update them in sync though. > > Excellent. Please use this bug for the stabilisation when you’re ready! Ready? x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Guess this was done some time ago: commit 059cc5d6a7a5a6748dff01ce355c47dde1ccde69 Author: Marek Szuba <marecki@gentoo.org> Date: Fri Oct 16 12:49:59 2020 +0200 net-libs/xrootd: remove old Signed-off-by: Marek Szuba <marecki@gentoo.org> delete mode 100644 net-libs/xrootd/xrootd-4.12.0.ebuild Still needs vote. Unable to check for sanity:
> no match for package: net-libs/xrootd-4.12.4
Package list is empty or all packages have requested keywords. This seems to be of minimal impact, no GLSA. |
