Bug 13263

Summary: syncevolution new security issue CVE-2014-1639
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Olivier Blin <mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fundawang, r.wobben, rwobben, shlomif
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/595996/
Whiteboard:
Source RPM: syncevolution-1.3.2-7.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-04-24 20:04:25 CEST 
Fedora has issued an advisory on April 15:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132092.html

The issue is fixed upstream in 1.4 (newest version is 1.4.1).

Note that while Mageia 3 and Mageia 4 are affected, it only affects people *building* the package, as the vulnerable script is not a part of the shipped package, so I don't think it's necessary to do an update for stable releases for this; fixing it in Cauldron should be sufficient.

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-24 20:04:40 CEST

CC: (none) => fundawang

Comment 1 David Walser 2014-05-18 16:21:36 CEST 
Fixed in syncevolution-1.4.1-2.mga5 by rindolf and roelof.

Status: NEW => RESOLVED
CC: (none) => r.wobben, rwobben, shlomif
Resolution: (none) => FIXED