Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#75447 - [libtirpc] [security] CVE-2021-46828
Attached to Project:
Arch Linux
Opened by mysta (mysta) - Thursday, 28 July 2022, 17:14 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 August 2022, 19:29 GMT
Opened by mysta (mysta) - Thursday, 28 July 2022, 17:14 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 August 2022, 19:29 GMT
|
DetailsDescription:
The libtirpc package is vulnerable to CVE-2021-46828, a DoS bug fixed upstream. The attached diff pulls in the commit to fix it and also switches from sha1sums to sha256sums. Additional info: https://git.linux-nfs.org/?p=steved/libtirpc.git;a=patch;h=86529758570cef4c73fb9b9c4104fdc510f701ed;hp=7089bb02714e23b9c737c22d64f1ee3b256e45f4 |
libtirpc.diff
This task depends upon
Closed by Andreas Radke (AndyRTR)
Monday, 08 August 2022, 19:29 GMT
Reason for closing: Fixed
Additional comments about closing: 1.3.3-1
Monday, 08 August 2022, 19:29 GMT
Reason for closing: Fixed
Additional comments about closing: 1.3.3-1
Comment by mysta (mysta) -
Saturday, 30 July 2022, 17:47 GMT
Upstream released libtirpc 1.3.3-rc4 two days ago, which includes the fixes, but I think it would be worth backporting now anyway. I say this because there has been a span of 11 months between rc1 and rc4... so the final 1.3.3 release might not be as close as it seems.