GNU bug report logs - #56520
Security vulnerabilities at coreutils version for CentOS 7.9

Previous Next

Package: coreutils;

Reported by: Meirav Rath <meirav.rath <at> imperva.com>

Date: Tue, 12 Jul 2022 15:28:03 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 56520 in the body.
You can then email your comments to 56520 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#56520; Package coreutils. (Tue, 12 Jul 2022 15:28:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Meirav Rath <meirav.rath <at> imperva.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Tue, 12 Jul 2022 15:28:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Meirav Rath <meirav.rath <at> imperva.com>
To: "bug-coreutils <at> gnu.org" <bug-coreutils <at> gnu.org>
Cc: Gadi Friedman <gadi.friedman <at> imperva.com>,
 Ariel Bressler <ariel.bressler <at> imperva.com>
Subject: Security vulnerabilities at coreutils version for CentOS 7.9
Date: Tue, 12 Jul 2022 12:43:01 +0000

[Message part 1 (text/plain, inline)]
Hello,

My name is Meirav Rath, I'm a software developer and security champion at Imperva.
As part of our effort to map security risks in our products I've been scanning our 3rd party rpms for vulnerabilities. It looks like coreutils available rpm for CentOS 7.9 (8.22) has the vulnerability CVE-2017-18018<https://nvd.nist.gov/vuln/detail/CVE-2017-18018>.

When can we expect an updated RPM of a more advanced version with fixes for this issues, aimed for CentOS7.9?

Thanks.



[cid:image001.png <at> 01D89606.0E772890]

Meirav Rath | SW Engineer & DB Researcher | Data Control team
meirav.rath <at> imperva.com | o: +972 3-684-1665 | m: +972 54-593-1551
imperva.com<https://imperva.com/> | facebook<https://www.facebook.com/imperva> | linkedin<https://www.linkedin.com/company/imperva> | twitter<https://twitter.com/imperva>

-------------------------------------------
This message is confidential. If you believe you received this message in error, please inform the sender and delete this message and all attachments.

[Message part 2 (text/html, inline)]
[image001.png (image/png, inline)]
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Tue, 12 Jul 2022 15:46:02 GMT) Full text and rfc822 format available.
Notification sent to Meirav Rath <meirav.rath <at> imperva.com>:
bug acknowledged by developer. (Tue, 12 Jul 2022 15:46:03 GMT) Full text and rfc822 format available.

Message #10 received at 56520-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Meirav Rath <meirav.rath <at> imperva.com>
Cc: 56520-done <at> debbugs.gnu.org, Gadi Friedman <gadi.friedman <at> imperva.com>,
 Ariel Bressler <ariel.bressler <at> imperva.com>
Subject: Re: bug#56520: Security vulnerabilities at coreutils version for
 CentOS 7.9
Date: Tue, 12 Jul 2022 08:45:04 -0700

On 7/12/22 05:43, Meirav Rath via GNU coreutils Bug Reports wrote:
> It looks like coreutils available rpm for CentOS 7.9 (8.22) has the vulnerability CVE-2017-18018<https://nvd.nist.gov/vuln/detail/CVE-2017-18018>.
> 
> When can we expect an updated RPM of a more advanced version with fixes for this issues, aimed for CentOS7.9?

CentOS is downstream from the Coreutils project, so I suggest asking the 
CentOS maintainers instead of this mailing list.
Information forwarded to bug-coreutils <at> gnu.org:
bug#56520; Package coreutils. (Tue, 12 Jul 2022 21:54:01 GMT) Full text and rfc822 format available.

Message #13 received at 56520 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Meirav Rath <meirav.rath <at> imperva.com>, 56520 <at> debbugs.gnu.org
Cc: Gadi Friedman <gadi.friedman <at> imperva.com>,
 Ariel Bressler <ariel.bressler <at> imperva.com>
Subject: Re: bug#56520: Security vulnerabilities at coreutils version for
 CentOS 7.9
Date: Tue, 12 Jul 2022 22:52:58 +0100

On 12/07/2022 13:43, Meirav Rath via GNU coreutils Bug Reports wrote:
> Hello,
> 
> My name is Meirav Rath, I'm a software developer and security champion at Imperva.
> As part of our effort to map security risks in our products I've been scanning our 3rd party rpms for vulnerabilities. It looks like coreutils available rpm for CentOS 7.9 (8.22) has the vulnerability CVE-2017-18018<https://nvd.nist.gov/vuln/detail/CVE-2017-18018>.
> 
> When can we expect an updated RPM of a more advanced version with fixes for this issues, aimed for CentOS7.9?

This was previously discussed at:
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
With corresponding doc patch at:
https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=bc2fd9796

cheers,
Pádraig
Information forwarded to bug-coreutils <at> gnu.org:
bug#56520; Package coreutils. (Wed, 13 Jul 2022 11:54:02 GMT) Full text and rfc822 format available.

Message #16 received at 56520 <at> debbugs.gnu.org (full text, mbox):

From: Meirav Rath <meirav.rath <at> imperva.com>
To: Pádraig Brady <P <at> draigBrady.com>,
 "56520 <at> debbugs.gnu.org" <56520 <at> debbugs.gnu.org>
Cc: Gadi Friedman <gadi.friedman <at> imperva.com>,
 Ariel Bressler <ariel.bressler <at> imperva.com>
Subject: RE: bug#56520: Security vulnerabilities at coreutils version for
 CentOS 7.9
Date: Wed, 13 Jul 2022 09:10:03 +0000

Hi Pádraig,

Thank you, I will discuss this further with CentOS.

Cheers,
Meirav.




Meirav Rath | SW Engineer & DB Researcher | Data Control team
meirav.rath <at> imperva.com | o: +972 3-684-1665 | m: +972 54-593-1551
imperva.com | facebook | linkedin | twitter

-----Original Message-----
From: Pádraig Brady <pixelbeat <at> gmail.com> On Behalf Of Pádraig Brady
Sent: Wednesday, July 13, 2022 12:53 AM
To: Meirav Rath <meirav.rath <at> imperva.com>; 56520 <at> debbugs.gnu.org
Cc: Gadi Friedman <gadi.friedman <at> imperva.com>; Ariel Bressler <ariel.bressler <at> imperva.com>
Subject: Re: bug#56520: Security vulnerabilities at coreutils version for CentOS 7.9

CAUTION: This message was sent from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On 12/07/2022 13:43, Meirav Rath via GNU coreutils Bug Reports wrote:
> Hello,
>
> My name is Meirav Rath, I'm a software developer and security champion at Imperva.
> As part of our effort to map security risks in our products I've been scanning our 3rd party rpms for vulnerabilities. It looks like coreutils available rpm for CentOS 7.9 (8.22) has the vulnerability CVE-2017-18018<https://nvd.nist.gov/vuln/detail/CVE-2017-18018>.
>
> When can we expect an updated RPM of a more advanced version with fixes for this issues, aimed for CentOS7.9?

This was previously discussed at:
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
With corresponding doc patch at:
https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=bc2fd9796

cheers,
Pádraig
-------------------------------------------
This message is confidential. If you believe you received this message in error, please inform the sender and delete this message and all attachments.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 11 Aug 2022 11:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 312 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.