Summary: | <net-libs/libnpupnp-4.1.4: DNS rebinding vulnerability in npupnp (CVE-2021-31718) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | stasibear |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2021/04/20/2 | ||
Whiteboard: | B4 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
![]() Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7d0dd3b17b0588881711f671bcfee23334a01a0 commit f7d0dd3b17b0588881711f671bcfee23334a01a0 Author: Erik Mackdanz <stasibear@gentoo.org> AuthorDate: 2021-08-03 20:51:55 +0000 Commit: Erik Mackdanz <stasibear@gentoo.org> CommitDate: 2021-08-03 20:51:55 +0000 net-libs/libnpupnp: bump to 4.1.4 Closes: https://bugs.gentoo.org/784593 Signed-off-by: Erik Mackdanz <stasibear@gentoo.org> Package-Manager: Portage-3.0.20, Repoman-3.0.3 net-libs/libnpupnp/Manifest | 1 + net-libs/libnpupnp/libnpupnp-4.1.4.ebuild | 37 +++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) Reopening, we need to stable and so on - please CC arches when ready, thanks! Unable to check for sanity:
> no match for package: net-libs/libnpupnp-1.4.4
All sanity-check issues have been resolved ping, ready to stable? I can stabilize it. I usually wait 30 days per the handbook but given there's a GLSA and the package is otherwise low-risk I don't mind shortening that. (In reply to Erik Mackdanz from comment #12) > I can stabilize it. I usually wait 30 days per the handbook but given > there's a GLSA and the package is otherwise low-risk I don't mind shortening > that. We don't worry about waiting the full period if it's a low-risk change and such when there's a security bug. Just add CC-ARCHES to the KEYWORDS on the bug when it's ready and it'll roll. Thanks! 4.1.4 is stable, no need for further stabilization No problem. I can't tell if the Security team is waiting for me to do something. I don't think so, so I'll wander away and let Security close this when you're ready. |