Bug 198108 (CVE-2006-3582)
Summary: | CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <scop> |
Component: | adplug | Assignee: | Linus Walleij <triad> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | extras-qa, fedora-security-list |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-07-25 20:35:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ville Skyttä
2006-07-09 19:01:04 UTC
Solved by upgrading to the new upstream version. Thanks for bringing this to attention, Ville! I hope not too many systems were compromised by rouge AdLib songs ;-) Thanks for the fix, but please be careful with shared library sonames in the future. Packages built against the old one and depending on it are likely to prevent the new fixed library package from being installed. Yeah, sorry I know, in this case I happened to maintain all affected packages so just rebuilt them. However, a first timer the question arise: how do I properly retire an .so file with security vulnerabilities? (Cannot find a good idea in any guidelines.) (In reply to comment #4) > Yeah, sorry I know, in this case I happened to maintain all affected packages Yes, but only in FE. 3rd party repositories and local packages which use the libs are affected too. > However, a first timer the question arise: how do I properly retire an .so > file with security vulnerabilities? (Cannot find a good idea in any > guidelines.) If doable and feasible, backporting only the security fixes and avoiding the soname change would be one way of handling it smoothly. An incompatible upgrade policy and instructions are slowly in the works, but so far there is no consensus except that the very least one should do is to send a mail to fedora-maintainers, notifying about the issue, beforehand if at all possible so others (including non-FC/FE packagers) can prepare. Here's one example which IMO is being handled well. https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00397.html https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00398.html |