CVE-2023-44446 raised against gstreamer not uploaded to repository

Support for security such as Firewalls and securing linux
mp0026778
Posts: 5
Joined: 2023/05/02 17:08:06

CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by mp0026778 » 2024/01/22 11:44:52

CVE-2023-44446 raised against gstreamer was fixed by RHEL on 17th Jan 2024. The fix is not available in the mirror repo's.

User avatar
TrevorH
Site Admin
Posts: 33165
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by TrevorH » 2024/01/22 12:43:05

It's in progress.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

eliezer318
Posts: 9
Joined: 2024/01/25 17:12:27

CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by eliezer318 » 2024/01/25 17:49:50

Is there a timeline for when this patch will be available?

User avatar
TrevorH
Site Admin
Posts: 33165
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by TrevorH » 2024/01/25 18:08:54

There was a build problem that took some time to work out but I see that it built earlier today. I am not sure if it will be published separately or as part of the batch of updates that are pending - I'd suspect the latter. This is what else is pending

389-ds-base-1.3.11.1-4.el7_9.src.rpm
kernel-3.10.0-1160.108.1.el7.src.rpm
java-1.8.0-openjdk-1.8.0.402.b06-1.el7_9.src.rpm
java-11-openjdk-11.0.22.0.7-1.el7_9.src.rpm
LibRaw-0.19.4-2.el7_9.src.rpm
gstreamer-plugins-bad-free-0.10.23-24.el7_9.src.rpm
net-snmp-5.7.2-49.el7_9.4.src.rpm
python-pillow-2.0.0-24.gitd1c6db8.el7_9.src.rpm
sssd-1.16.5-10.el7_9.16.src.rpm
xorg-x11-server-1.20.4-27.el7_9.src.rpm
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

eliezer318
Posts: 9
Joined: 2024/01/25 17:12:27

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by eliezer318 » 2024/01/25 18:41:41

Is there a way to get that Gstreamer plug in build published (get priority) and where the link will be available for download?

User avatar
TrevorH
Site Admin
Posts: 33165
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by TrevorH » 2024/01/25 18:53:16

You can search through https://buildlogs.centos.org/ if you like but I did just have a look in all the obvious looking places there and came up blank.

Oh, and be aware that if you do find it there then it will not be GPG signed as that only happens as the fix is released.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

eliezer318
Posts: 9
Joined: 2024/01/25 17:12:27

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by eliezer318 » 2024/01/25 19:10:24

Trevor,

I want to keep tabs on this. What are the obvious places so I can get this taken care of for my systems myself?

User avatar
TrevorH
Site Admin
Posts: 33165
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by TrevorH » 2024/01/26 18:01:20

I'm told that the entire list of x86_64 updates has just been pushed to the mirror network so should replicate round the world soon. Running `yum clean all` before an update might help to see those updates sooner as the default expiry time for metadata is 6 hours.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mp0026778
Posts: 5
Joined: 2023/05/02 17:08:06

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by mp0026778 » 2024/01/29 09:02:30

Thanks for the update. I am able to find the updated package now.

User avatar
TrevorH
Site Admin
Posts: 33165
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-44446 raised against gstreamer not uploaded to repository

Post by TrevorH » 2024/01/30 16:17:54

These updates are now published so are available via yum update

You do not need to download them from buildlogs and as far as I can see they are no longer published to buldlogs during the build process so there is no way to get them before they are released.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply