diff --git a/0001-security-Document-assignment-of-CVE-2021-20286.patch b/0001-security-Document-assignment-of-CVE-2021-20286.patch new file mode 100644 index 0000000..ca96878 --- /dev/null +++ b/0001-security-Document-assignment-of-CVE-2021-20286.patch @@ -0,0 +1,39 @@ +From 40308a005eaa6b2e8f98da8952d0c0cacc51efde Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Fri, 12 Mar 2021 17:00:58 -0600 +Subject: [PATCH] security: Document assignment of CVE-2021-20286 + +Now that we finally have a CVE number, it's time to document +the problem (it's low severity, but still a denial of service). + +Fixes: fb4440de9cc7 (opt_go: Tolerate unplanned server death) +--- + docs/libnbd-security.pod | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod +index 876ef2f..3c994de 100644 +--- a/docs/libnbd-security.pod ++++ b/docs/libnbd-security.pod +@@ -22,6 +22,12 @@ L + See the full announcement here: + L + ++=head2 CVE-2021-20286 ++denial of service when using L ++ ++See the full announcement here: ++L ++ + =head1 SEE ALSO + + L. +@@ -34,4 +40,4 @@ Richard W.M. Jones + + =head1 COPYRIGHT + +-Copyright (C) 2019 Red Hat Inc. ++Copyright (C) 2019-2021 Red Hat Inc. +-- +2.29.0.rc2 + diff --git a/libnbd.spec b/libnbd.spec index 901cb5f..a4131cb 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -9,7 +9,7 @@ Name: libnbd Version: 1.7.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: NBD client library in userspace License: LGPLv2+ @@ -35,6 +35,9 @@ Patch0005: 0005-copy-file-ops.c-Fix-page-eviction-when-len-page_size.patch # Upstream patch to fix nbdkit test suite. Patch0006: 0006-info-Let-exit-status-reflect-any-failures-during-NBD.patch +# Upstream patch that documents CVE-2021-20286 (already fixed in 1.7.3). +Patch0007: 0001-security-Document-assignment-of-CVE-2021-20286.patch + %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool %endif @@ -311,6 +314,9 @@ make %{?_smp_mflags} check || { %changelog +* Mon Mar 15 2021 Richard W.M. Jones - 1.7.3-3 +- Update documentation for CVE-2021-20286. + * Thu Mar 4 2021 Richard W.M. Jones - 1.7.3-2 - Add fix for nbdkit test suite.