Bug 14070

Summary:	[CVE 21] glibc 2.33 CVEs found (2)
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Vladimir Potapov <v.potapov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	blocker
Priority:	Highest	CC:	m.novosyolov, pastordidi
Version:	All	Flags:	v.potapov: qa_verified+ v.potapov: secteam_verified? v.potapov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Platform:	---	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Vladimir Potapov 2023-11-30 13:02:00 MSK

https://nvd.nist.gov/vuln/detail/CVE-2023-4806 medium
https://nvd.nist.gov/vuln/detail/CVE-2023-5156 high
https://nvd.nist.gov/vuln/detail/CVE-2013-4412 high
https://nvd.nist.gov/vuln/detail/CVE-2010-4756 explopit

Comment 1 Mikhail Novosyolov 2023-12-04 03:08:54 MSK

************ QA ADVISORY ***********

glibc 2.33-10.git1a2009.2
- use all backported updates, including fixes of CVEs, from https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.33/master

https://abf.io/build_lists/4856091
https://abf.io/build_lists/4856092
https://abf.io/build_lists/4856093
https://abf.io/build_lists/4856095
(no e2kv4)

Comment 2 Dmitry Postnikov 2023-12-04 13:10:53 MSK

*****************************
Обновление отослано в Тестинг

Comment 3 Mikhail Novosyolov 2023-12-11 20:02:50 MSK

Пока не публикуйте это обновление.

Comment 4 Mikhail Novosyolov 2023-12-11 23:46:43 MSK

************ QA ADVISORY ***********

glibc 2.33-10.git1a2009.3
- use all backported updates, including fixes of CVEs, from https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.33/master
- fix of CVE-2023-4806
- fix of CVE2023-48-13 (lost in previous update)
https://abf.io/build_lists/4885430
https://abf.io/build_lists/4885431
https://abf.io/build_lists/4885432
https://abf.io/build_lists/4885433

Исправление CVE-2023-5156 не требуется (не актуально для нашей версии, наше исправление 4806 не привносит 5156).

CVE-2013-4412 не в glibc.
CVE-2010-4756 не является уязвимостью, см. обсуждение в https://bugzilla.redhat.com/show_bug.cgi?id=681681

Comment 5 Dmitry Postnikov 2023-12-14 14:11:46 MSK

*****************************
Обновление отослано в Тестинг

Comment 6 Vladimir Potapov 2023-12-19 12:35:02 MSK

glibc-2.33-10.git1a2009.2
https://abf.io/build_lists/4885430
https://abf.io/build_lists/4885431
https://abf.io/build_lists/4885432
https://abf.io/build_lists/4885433
*********************** Advisory ********************
use all backported updates, including fixes of CVEs, from https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.33/master
- fix of CVE-2023-4806
- fix of CVE2023-48-13 (lost in previous update)
*****************************************************
QA Verified