| Summary: | <sci-physics/root-{6.28.10,6.30.02}: security vulnerability in current root version, version bump required | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Rafal Lalik <rafallalik> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | amadio, sci |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://root-forum.cern.ch/t/root-web-is-insecure/57164 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Rafal Lalik
2023-11-30 11:19:55 UTC
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4230d64773dc7194cced43acf852012680b7f3b commit e4230d64773dc7194cced43acf852012680b7f3b Author: Guilherme Amadio <amadio@gentoo.org> AuthorDate: 2023-11-30 10:39:50 +0000 Commit: Guilherme Amadio <amadio@gentoo.org> CommitDate: 2023-11-30 12:35:02 +0000 sci-physics/root: add 6.30.02, drop 6.30.00 Closes: https://bugs.gentoo.org/918895 See also: https://root.cern/about/security Signed-off-by: Guilherme Amadio <amadio@gentoo.org> sci-physics/root/Manifest | 2 +- sci-physics/root/{root-6.30.00.ebuild => root-6.30.02.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89fdadffee2a558d6bfd1778ba03d231e8ef6644 commit 89fdadffee2a558d6bfd1778ba03d231e8ef6644 Author: Guilherme Amadio <amadio@gentoo.org> AuthorDate: 2023-11-30 10:42:02 +0000 Commit: Guilherme Amadio <amadio@gentoo.org> CommitDate: 2023-11-30 12:35:02 +0000 sci-physics/root: add 6.28.10, drop 6.28.08 Bug: https://bugs.gentoo.org/918895 Signed-off-by: Guilherme Amadio <amadio@gentoo.org> sci-physics/root/Manifest | 2 +- sci-physics/root/{root-6.28.08.ebuild => root-6.28.10.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) Just for the record, please note that merely having the software installed does not create any problems. The security problem happens when starting a web-based TBrowser (see https://root.cern/about/security for a succinct explanation), which opens a port that allows unauthenticated connections with access to the ROOT prompt. I unfortunately added a tag when bumping, which closed the bug, but feel free to reopen if you think that's appropriate. Hi, yes, I understand nature of the problem and risks and conditions. I think all what could be done was already done. Perhaps the comment you did in the previous entry, that perhaps should be displayed to the user in the post install message? (In reply to Guilherme Amadio from comment #2) > Just for the record, please note that merely having the software installed > does not create any problems. The security problem happens when starting a > web-based TBrowser (see https://root.cern/about/security for a succinct > explanation), which opens a port that allows unauthenticated connections > with access to the ROOT prompt. Hence my initial C4 severity. It should be ~4 actually, given that there are no stable versions. > I unfortunately added a tag when bumping, which closed the bug, but feel > free to reopen if you think that's appropriate. No need to reopen, with vulnerable versions gone and no GLSA to issue we are all done. (In reply to Rafal Lalik from comment #3) > Hi, yes, I understand nature of the problem and risks and conditions. > I think all what could be done was already done. Perhaps the comment you did > in the previous entry, that perhaps should be displayed to the user in the > post install message? Sure, I will add a message of warning. Users should be aware. |
