Bug 13263

Summary: [CVE 21] libksba 1.3.5 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, e.kosachev, e.malashin, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
e.kosachev: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2022-3515, CVE-2022-47629,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 13:57:42 MSK 
Please patch CVEs for package libksba version 1.3.5  
INFO (CVEs are): libksba 1.3.5 cves found
CVE-2022-3515
Desc: A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3515
Severity: CRITICAL
CVE-2022-47629
Desc: Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-47629
Severity: CRITICAL
Comment 1 Svyatoslav Matveev 2023-05-04 11:01:14 MSK 
********** QA ADVISORY **********

Cve закрыто патчами.

*** libksba

https://abf.io/build_lists/4434326
https://abf.io/build_lists/4434327
https://abf.io/build_lists/4434325
https://abf.io/build_lists/4434329
https://abf.io/build_lists/4434328
Comment 2 e.malashin@rosalinux.ru 2023-05-04 12:37:42 MSK 
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-10 12:11:45 MSK 
libksba-1.3.5-10
https://abf.io/build_lists/4434326
https://abf.io/build_lists/4434327
https://abf.io/build_lists/4434325
https://abf.io/build_lists/4434329
https://abf.io/build_lists/4434328
****************************** Advisory ***********************
CVE-2022-3515 fix
***************************************************************
QA Verified
Comment 4 Eduard 2023-06-20 13:21:44 MSK 
Secteam approved