Updated libidn packages fix security vulnerability
Publication date: 26 Jul 2016Modification date: 26 Jul 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6261 , CVE-2015-8948 , CVE-2016-6262 , CVE-2016-6263
Description
Out-of-bounds stack read in libidn before 1.33 in idna_to_ascii_4i (CVE-2016-6261). Out-of-bounds-read in libidn when reading one zero byte as input (CVE-2015-8948, CVE-2016-6262). In libidn before 1.33, stringprep_utf8_nfkc_normalize would crash when presented with invalid UTF-8 (CVE-2016-6263).
References
- https://bugs.mageia.org/show_bug.cgi?id=19011
- https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html
- http://openwall.com/lists/oss-security/2016/07/21/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EQDCSQNM5LICMOIEU5H63QDQ4Z436KC5/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6261
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8948
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6262
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6263
SRPMS
5/core
- libidn-1.33-1.mga5