FS#75447 - [libtirpc] [security] CVE-2021-46828

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Thursday, 28 July 2022, 17:14 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 August 2022, 19:29 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The libtirpc package is vulnerable to CVE-2021-46828, a DoS bug fixed upstream. The attached diff pulls in the commit to fix it and also switches from sha1sums to sha256sums.

Additional info:

This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 08 August 2022, 19:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.3.3-1
Comment by T.J. Townsend (blakkheim) - Saturday, 30 July 2022, 17:47 GMT
Upstream released libtirpc 1.3.3-rc4 two days ago, which includes the fixes, but I think it would be worth backporting now anyway. I say this because there has been a span of 11 months between rc1 and rc4... so the final 1.3.3 release might not be as close as it seems.