Patch for netmask CVE-2021-28918

[rbode]

Hi All,

I found that the latest MX, last updated 3/30/21, also suffers from the netmask bug CVE-2021-28918 see: https://github.com/sickcodes/security/b ... 021-011.md

See: ping 0127.0127.0127.0127 results in 87.87.87.87

Are you aware of this....?

BTW: I am VERY HAPPY with MX !!!

Regards,
Rene

[agnivo007]

https://security-tracker.debian.org/tra ... 2021-28918

Looks like unreported to dedian and various databases listed on the above page.
Currently redhat tracker has any info : https://bugzilla.redhat.com/show_bug.cg ... 2021-28918

EDIT: Wrongly posted different link. Someone should report to debian.

[Stevo]

So...no, as long as you're using the standard 4.19 MX 19 Debian buster kernel, the 5.10.24 AHS kernel. I've just backported the latest fixed Buster 4.19.181 kernel to MX 17/18, and will upload it, but then we'll have to update that choice in MX Package Installer and users have to manually update there.

Is there a button for "this really was not an issue?"

[Jerry3904]

Are you aware of this....?

Almost always by the time users see a problem mentioned in popular sources--it has already been fixed.

[agnivo007]

I have updated the post, looks like no info on this on various distro bug trackers including debian (unreported) affecting the netmask npm package.

[SwampRabbit]

STEP 0 - Remain Calm

The darn thing was just announced "publicly", its been known by the people that need to know for 2 weeks, and everyone that needs to be working on it has and is.

Did anyone even look at the affected versions and what is actually installed on their systems? Probably not, but wouldn't it be funny if npm and the netmask module wasn't even installed OOTB on MX?

The interwebs is dark and full of terrors, it will be that way today, tomorrow, and the next, and the next.

[agnivo007]

Yea, quite true, it's not wise too be too paranoid; especially when one doesn't have the affected software on their system.