Hide Forgot
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate.
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2118714,2120976 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new
I have started the update for open-vm-tools for fc35, fc36, fc37 and fc38. I am getting build failures for fc37 and fc38 (rawhide) but they are unrelated to the security fix to the source code. I am also getting the same build failures with the current open-vm-tools 12.0.5-2 top-of-tree source. Investigating why the "mass" build for Fedora 37 succeeded and now it is failing. In the meantime I am attaching the following: 1205-Properly-check-authorization-on-incoming-guestOps-re.patch # fix for CVE-2022-31676 open-vm-tools.spec # partial change - contains Release bump to '3' - defines Patch1 fo the CVE patch being added. - missing ChangLog update
Created attachment 1908324 [details] Fix for CVE-2022-31676
Created attachment 1908325 [details] Preliminary revision to the open-vm-tools.spec file Work in progress: - Release # bumped to "3" - Added Patch1 for the CVE fix - missing the ChangeLog update associated with this revision in progress.
In the process of preparing the fix to open-vm-tools 12.0.5 for PR 120976 - CVE-2022-31676, and find that I cannot build the existing open-vm-tools 12.0.5-2 packages. fc35: open-vm-tools-12.0.5-2.fc35 - BUILDS fc36: open-vm-tools-12.0.5-2.fc36 - BUILDS fc37: open-vm-tools-12.0.5-2.fc37 - FAILS packaging. fc38: open-vm-tools-12.0.5-2.fc38 - FAILS packaging. That makes me wonder how the "mass" rebuild for Fedora 37 succeeded? The failure is related to the packaging of the ?????????????? For fc36 build: =========================== Build command: fedpkg --release f36 mockbuild --no-cleanup-after from results_open-vm-tools/12.0.5/2.fc36/build.log ---------------------------------------------------- > /usr/bin/install -p -d /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d > /usr/bin/install -p -m 644 ./99-vmware-scsi-udev.rules /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d > ^^^^ > ... > + chmod a-x /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules from /var/lib/mock/fedora-36-x86_64/root/builddir/build//BUILD/open-vm-tools-12.0.5-19716617/config.log ----------------------------------------------------------------------------- > UDEVRULESDIR='/usr/lib/udev/rules.d' For fc37 build: ======================== Build command: fedpkg --release f37 mockbuild --no-cleanup-after from results_open-vm-tools/12.0.5/2.fc37/build.log ---------------------------------------------------- > /usr/bin/install -p -d /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/lib/udev/rules.d > /usr/bin/install -p -m 644 ./99-vmware-scsi-udev.rules /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/lib/udev/rules.d > ^===== no /usr > ... > + chmod a-x /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules > chmod: cannot access '/builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules': No such file or directory from /var/lib/mock/fedora-37-x86_64/root/builddir/build//BUILD/open-vm-tools-12.0.5-19716617/config.log; --------------------------------------------------------------------------- > UDEVRULESDIR='/lib/udev/rules.d' # missing the "/usr" prefix ????
FEDORA-2022-20d374ce8f has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20d374ce8f
FEDORA-2022-cd23eac6f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cd23eac6f4
FEDORA-2022-9a73b28b96 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9a73b28b96
FEDORA-2022-20d374ce8f has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-20d374ce8f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20d374ce8f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-cd23eac6f4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cd23eac6f4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cd23eac6f4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-9a73b28b96 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9a73b28b96` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9a73b28b96 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-cd23eac6f4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-1b8d3b2845 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1b8d3b2845` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b8d3b2845 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-1c9c0bacaf has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1c9c0bacaf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1c9c0bacaf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-1b8d3b2845 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-1c9c0bacaf has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.