See https://listman.redhat.com/archives/libguestfs/2023-September/032711.html. """ Lifecycle --------- Reported: 2023-09-17 Fixed: 2023-09-22 Published: 2023-09-26 At the time of this email, the Red Hat security team is analyzing potential security impacts to determine if a CVE is warranted against libnbd; if one is assigned, a followup email will announce that identifier. However, even if a CVE is not assigned to libnbd, the issues documented here warrant an audit of clients that utilize the nbd_get_size() API from libnbd, to see if they might be subject to a weakness when interpreting a large size as a negative value. The libnbd developers felt it more important to issue this security notice prior to the release of v1.18 than to hold up the release schedule waiting for final analysis on whether libnbd needs a CVE. """ (A CVE was later assigned as CVE-2023-5215). Please bump to 1.16.5/1.18.0.
ping
huh, apparently I don't have libnbd in my feed reader.. strange. working on a bump now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bd36b8ff84d387ec31c43817c5b5d985cf71759 commit 2bd36b8ff84d387ec31c43817c5b5d985cf71759 Author: Arsen Arsenović <arsen@gentoo.org> AuthorDate: 2023-11-13 10:43:23 +0000 Commit: Arsen Arsenović <arsen@gentoo.org> CommitDate: 2023-11-13 10:56:08 +0000 sys-libs/libnbd: add 1.18.1 Bug: https://bugs.gentoo.org/915353 Signed-off-by: Arsen Arsenović <arsen@gentoo.org> sys-libs/libnbd/Manifest | 1 + sys-libs/libnbd/libnbd-1.18.1.ebuild | 81 ++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+)