Bug 2242402 - tacacs: CVE-2023-45239
Summary: tacacs: CVE-2023-45239
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: tacacs
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Davide Cavalca
QA Contact:
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F39FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2023-10-05 21:37 UTC by Davide Cavalca
Modified: 2023-10-09 22:25 UTC (History)
2 users (show)

Fixed In Version: tacacs-F4.0.4.28.7fb~20231005g4fdf178-1.fc40 tacacs-F4.0.4.28.7fb~20231005g4fdf178-2.el9 tacacs-F4.0.4.28.7fb~20231005g4fdf178-1.fc37 tacacs-F4.0.4.28.7fb~20231005g4fdf178-2.el8 tacacs-F4.0.4.28.7fb~20231005g4fdf178-1.fc38
Clone Of:
Environment:
Last Closed: 2023-10-09 22:25:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Davide Cavalca 2023-10-05 21:37:35 UTC 
https://github.com/facebook/tac_plus/commit/68ba2a19472da0a3de28c41b7a2e222438dca359 resolves CVE-2023-45239 in tacacs and needs to be included in the package

Reproducible: Always
Comment 1 Fedora Blocker Bugs Application 2023-10-05 21:47:56 UTC 
Proposed as a Freeze Exception for 39-final by Fedora user dcavalca using the blocker tracking app because:

 This is a self contained change that fixes a major security vulnerability in the tacacs package.
Comment 2 Fedora Update System 2023-10-05 21:49:39 UTC 
FEDORA-2023-a219299297 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a219299297
Comment 3 Fedora Update System 2023-10-05 21:52:10 UTC 
FEDORA-2023-a219299297 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2023-10-05 22:00:45 UTC 
FEDORA-2023-96c21ed09c has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-96c21ed09c
Comment 5 Fedora Update System 2023-10-05 22:11:13 UTC 
FEDORA-2023-6f9e904861 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-6f9e904861
Comment 6 Fedora Update System 2023-10-05 22:21:19 UTC 
FEDORA-2023-ef2653f707 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ef2653f707
Comment 7 Fedora Update System 2023-10-05 22:32:04 UTC 
FEDORA-EPEL-2023-4aac16fe21 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-4aac16fe21
Comment 8 Fedora Update System 2023-10-05 22:44:03 UTC 
FEDORA-EPEL-2023-a6d0c485c1 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-a6d0c485c1
Comment 9 Fedora Update System 2023-10-06 00:39:45 UTC 
FEDORA-EPEL-2023-4aac16fe21 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2023-10-06 00:51:06 UTC 
FEDORA-2023-ef2653f707 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2023-10-06 00:59:55 UTC 
FEDORA-EPEL-2023-a6d0c485c1 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2023-10-06 01:28:36 UTC 
FEDORA-2023-6f9e904861 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2023-10-06 02:13:24 UTC 
FEDORA-2023-96c21ed09c has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-96c21ed09c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-96c21ed09c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Davide Cavalca 2023-10-06 17:17:20 UTC 
CVE: https://www.cve.org/CVERecord?id=CVE-2023-45239
GHSA advisory: https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3
Comment 15 Davide Cavalca 2023-10-06 21:44:55 UTC 
Leaving this in POST as the f39 update hasn't hit stable yet
Comment 16 Adam Williamson 2023-10-09 15:34:53 UTC 
+6 in https://pagure.io/fedora-qa/blocker-review/issue/1391 , marking accepted FE. ON_QA is the right state for the update being in updates-testing.
Comment 17 Fedora Update System 2023-10-09 22:25:49 UTC 
FEDORA-2023-96c21ed09c has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.