Bug 838162 - CVE-2012-3381 sblim-sfcb: insecure LD_LIBRARY_PATH usage [epel-5]
CVE-2012-3381 sblim-sfcb: insecure LD_LIBRARY_PATH usage [epel-5]
Status: CLOSED WONTFIX
Product: Fedora EPEL
Classification: Fedora
Component: sblim-sfcb (Show other bugs)
el5
All Linux
low Severity low
: ---
: ---
Assigned To: Vitezslav Crhonek
Fedora Extras Quality Assurance
fst_owner=pjp
: Security, SecurityTracking
Depends On:
Blocks: CVE-2012-3381
  Show dependency treegraph
 
Reported: 2012-07-06 17:44 EDT by Kurt Seifried
Modified: 2016-08-29 08:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-29 08:19:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-07-06 17:44:22 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=838160

epel-5 tracking bug for sblim-sfcb: see blocks bug list for full details of the security issue(s).

[bug automatically created by: add-tracking-bugs]
Comment 1 pjp 2014-11-01 06:11:33 EDT
The patch seems to be available since long

 -> http://sourceforge.net/p/sblim/bugs/2499/#eadb

Could you please have a look?
Comment 2 Vitezslav Crhonek 2014-11-06 09:30:04 EST
Well, fixing this issue doesn't make much sense to me:

1) I wonder why sblim-sfcb is in EPEL, it's part of RHEL for longer time. Shouldn't it be removed from EPEL then? (I wasn't able to find it in Fedora packaging guidelines.)

2) low/low and it's resolved by using systemd in recent Fedora/RHEL releases.

But okay, if you're interested...
Comment 3 Fedora Update System 2014-11-06 09:36:59 EST
sblim-sfcb-1.3.8-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/sblim-sfcb-1.3.8-2.el5
Comment 4 pjp 2014-11-06 10:02:28 EST
  Hello Vitezslav,

(In reply to Vitezslav Crhonek from comment #2)
> Well, fixing this issue doesn't make much sense to me:
> 
> 1) I wonder why sblim-sfcb is in EPEL, it's part of RHEL for longer time.
> Shouldn't it be removed from EPEL then? (I wasn't able to find it in Fedora
> packaging guidelines.)

  Yes, if the package is available via RHEL, it makes sense to retire it from EPEL repository.

  -> https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Please do retire it from EPEL.

Thank you.
Comment 5 Fedora Update System 2014-11-09 10:39:17 EST
Package sblim-sfcb-1.3.8-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing sblim-sfcb-1.3.8-2.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3849/sblim-sfcb-1.3.8-2.el5
then log in and leave karma (feedback).
Comment 6 pjp 2014-11-13 09:29:09 EST
  Hello Vitezslav,

Did you have chance to file for its retirement from epel-5?
Comment 7 Vitezslav Crhonek 2014-11-13 10:05:50 EST
Hi,

thanks for reminder, done.
Comment 8 pjp 2016-08-29 08:19:05 EDT
EL5 branch has been retired.
  -> https://admin.fedoraproject.org/pkgdb/package/rpms/sblim-sfcb/

Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.