FEDORA-2018-5051dbd15e

security update in Fedora 27 for dhcp

Status: stable 2 years ago

Security fix for CVE-2018-5732 CVE-2018-5733

Comments 16

This update has been submitted for testing by landgraf. This critical path update has not yet been approved for pushing to the stable repository. It must first reach a karma of 2, consisting of 0 positive karma from proventesters, along with 2 additional karma from the community. Or, it must spend 14 days in testing without any negative feedback Additionally, it must pass automated tests..

This update has been pushed to testing.

no regressions noted

karma: +1

works for me

karma: +1

works for me

karma: +1

This update has been submitted for batched by bodhi.

This update has been submitted for stable by landgraf.

This update has been pushed to stable.

@landgraf: was this update originally labelled as security/urgent? I see that it went through batched and spent two days there, which shouldn't have happened if it was marked as urgent.

@zbyszek "security update in Fedora 27 for dhcp". Does it answer your question?

No really. "security" is the "type", but I'm asking about the "severity" field. It is now "urgent", but was it so when the update was initially submitted?

@zbyszek, Well you've asked if the update was marked as security and the answer is "yes it was" fedpkg update template doesn't have severity field in default template nor in one suggested by security team https://bugzilla.redhat.com/show_bug.cgi?id=1550246#c1 and not everybody uses bodhi UI. I hope it answers your questions. Even more all information available at the right side of this page (https://bodhi.fedoraproject.org/updates/FEDORA-2018-5051dbd15e ) and it says :

Update Type security Update Severity urgent

So I don't understand why you keep asking for information you can find yourself very easily.

Just to make thing clear. I've not change neither type nor update after update was submitted.

OK, thanks. So that looks like a bug. Karma threshold is +3, and it was reached 6 days ago, according to the log above, and the package was submitted to batched. But it should have been submitted to stable automatically. For some reason that didn't happen, until you did that three days later.

@zbyszek, I've seen discussion in f-devel@ Right, I was wondering as well but didn't have time to investigate/report this taking into account two more CVEs in mailman. Is it possible that Critpath flag affects it somehow?

@zbyszek The answer about the Severity field: It was not set when the update was filed, I have updated this to Urgent after looking at the security teams' assessment of the attached security bugs to make sure it went out.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
urgent
Karma
+3
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 3

00 #1549960 CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server
00 #1549961 CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service
00 #1550246 CVE-2018-5732 CVE-2018-5733 dhcp: various flaws [fedora-all]

Automated Test Results