Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#40992 - [linux-lts] CVE-2014-4608, CVE-2014-4611, LZO/LZ4 vulnerability

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Friday, 27 June 2014, 03:25 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 28 June 2014, 12:55 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

CVE-2014-4608 (LZO): http://www.openwall.com/lists/oss-security/2014/06/26/21
CVE-2014-4611 (LZ4): http://www.openwall.com/lists/oss-security/2014/06/26/24

The LZO issue is fixed by 3.15.2 and 3.10.45. The LZ4 issue is fixed by 3.15.2, but I don't see it in the changelog for 3.10.45...

Background: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
This task depends upon

Closed by  Doug Newgard (Scimmia)
Saturday, 28 June 2014, 12:55 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.15.2-1 in testing
Comment by Daniel Micay (thestinger) - Friday, 27 June 2014, 03:45 GMT
At this time, the patch-3.15.2.xz file is also missing so the full source tarball needs to be downloaded.

Changing the _srcname variable to linux-3.15.2 and commenting out the upstream patch line / source file is enough.
Comment by Tobias Powalowski (tpowa) - Friday, 27 June 2014, 08:57 GMT
3.15.2 in [testing]
Comment by Bartłomiej Piotrowski (Barthalion) - Friday, 27 June 2014, 18:48 GMT
So is 3.10.45. Any reason to keep it open?
Comment by Daniel Micay (thestinger) - Friday, 27 June 2014, 21:29 GMT
LZ4 was introduced in 3.11 so this is fixed.

Loading...