[ClusterLabs] CVE-2019-12779 assignment for libqb (Was: [Announce] libqb 1.0.4/1.0.5 release)

Jan Pokorný jpokorny at redhat.com
Mon Jun 10 16:38:55 EDT 2019

On 15/04/19 14:56 +0100, Christine Caulfield wrote:
> We are pleased to announce the release of libqb 1.0.4
> Source code is available at:
> https://github.com/ClusterLabs/libqb/releases/download/v1.0.4/libqb-1.0.4.tar.xz
> Please use the signed .tar.gz or .tar.xz files with the version number
> in rather than the github-generated "Source Code" ones.
> This is a security update to 1.0.3. Files are now opened with O_EXCL and
> are placed in directories created by mkdtemp().

For the record, this was (finally, after some initial hesitation about
the process in a situation like this) assigned CVE-2019-12779.

The summary at MITRE site makes a strict cut in proposing only v1.0.5
as not vulnerable, which is not quite the interpretation proposed, but
hopefully my other response in this thread makes it clear that v1.0.4
is not the right "peace of mind" target for other reasons.

Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20190610/3e35f923/attachment.sig>

More information about the Users mailing list