Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#75447 - [libtirpc] [security] CVE-2021-46828

Attached to Project: Arch Linux
Opened by mysta (mysta) - Thursday, 28 July 2022, 17:14 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 August 2022, 19:29 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The libtirpc package is vulnerable to CVE-2021-46828, a DoS bug fixed upstream. The attached diff pulls in the commit to fix it and also switches from sha1sums to sha256sums.

Additional info:;a=patch;h=86529758570cef4c73fb9b9c4104fdc510f701ed;hp=7089bb02714e23b9c737c22d64f1ee3b256e45f4

This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 08 August 2022, 19:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.3.3-1
Comment by mysta (mysta) - Saturday, 30 July 2022, 17:47 GMT
Upstream released libtirpc 1.3.3-rc4 two days ago, which includes the fixes, but I think it would be worth backporting now anyway. I say this because there has been a span of 11 months between rc1 and rc4... so the final 1.3.3 release might not be as close as it seems.