Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

[ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003efc

File Search: https://search.nix.gsc.io/?q=kio&i=fosho&repos=nixos-nixpkgs
GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=kio+in%3Apath&type=Code

Should the search term be changed from kio? Suggest a new package search by commenting:

-suggested:kio +suggested:correctPackageName thread:0000000000003efc

Known CVEs:

Skip to End

Tue, 28 Feb 2017 19:44:38 +0100 Albert Astals Cid , `1501907.mtIKE32cx4@xps`

Hi, Albert from KDE, can we get a CVE assigned for kio (input/output library)?

advisory is here https://www.kde.org/info/security/advisory-20170228-1.txt

Thanks,
  Albert

Skip to End

Wed, 1 Mar 2017 12:03:55 +0530 (IST) P J P , `alpine.LFD.2.20.1703011202510.1553@wniryva`

+-- On Tue, 28 Feb 2017, Albert Astals Cid wrote --+
| Hi, Albert from KDE, can we get a CVE assigned for kio (input/output library)?
| advisory is here https://www.kde.org/info/security/advisory-20170228-1.txt

Please see:
  -> http://cveform.mitre.org/

--
 - P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Skip to End

NixOS / security

Roundup: [oss-security] kio vulnerability: need CVE #115

Instructions:

Identification

Patching

Upon Completion ...

Info

Tue, 28 Feb 2017 19:44:38 +0100 Albert Astals Cid , `1501907.mtIKE32cx4@xps`

Wed, 1 Mar 2017 12:03:55 +0530 (IST) P J P , `alpine.LFD.2.20.1703011202510.1553@wniryva`

NixOS / security

Roundup: [oss-security] kio vulnerability: need CVE #115

Instructions:

Identification

Patching

Upon Completion ...

Info

Tue, 28 Feb 2017 19:44:38 +0100 Albert Astals Cid , 1501907.mtIKE32cx4@xps

Wed, 1 Mar 2017 12:03:55 +0530 (IST) P J P , alpine.LFD.2.20.1703011202510.1553@wniryva

Tue, 28 Feb 2017 19:44:38 +0100 Albert Astals Cid , `1501907.mtIKE32cx4@xps`

Wed, 1 Mar 2017 12:03:55 +0530 (IST) P J P , `alpine.LFD.2.20.1703011202510.1553@wniryva`