Bug 1462966

Summary: CVE-2017-7778: Vulnerabilities in the Graphite 2 library (update to 1.3.10)
Product: [Fedora] Fedora Reporter: blammegga <blammegga>
Component: graphite2Assignee: Nicholas van Oudtshoorn <vanoudt>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 25CC: caolanm, jhorak, mike, stransky, vanoudt
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: graphite2-1.3.10-1.fc26 graphite2-1.3.10-1.fc25 graphite2-1.3.10-1.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-25 16:20:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description blammegga 2017-06-19 18:48:07 UTC 
"A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10."
(https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778)

this package doesn't seem to have been updated along with firefox....
Comment 1 Michael Cronenworth 2017-06-22 15:05:05 UTC 
Are there any negative side effects on pushing this update to F24+? The ChangeLog looks harmless. If no one pushes this update in the next day or two I'll push it.
Comment 2 Fedora Update System 2017-06-23 16:16:34 UTC 
graphite2-1.3.10-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d739368f0d
Comment 3 blammegga 2017-06-24 01:44:44 UTC 
thanks, michael
Comment 4 Fedora Update System 2017-06-24 21:49:02 UTC 
graphite2-1.3.10-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0a9e51dd5
Comment 5 Fedora Update System 2017-06-24 22:23:15 UTC 
graphite2-1.3.10-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03ef6281a8
Comment 6 Fedora Update System 2017-06-25 01:19:34 UTC 
graphite2-1.3.10-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d739368f0d
Comment 7 Fedora Update System 2017-06-25 16:20:53 UTC 
graphite2-1.3.10-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-06-28 20:52:15 UTC 
graphite2-1.3.10-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2017-07-12 01:49:42 UTC 
graphite2-1.3.10-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.