| Summary: | couchdb new security issue CVE-2010-5312 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/626058/ | ||
| Whiteboard: | has_procedure advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | couchdb-1.4.0-2.3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-12 19:22:23 CET
David Walser
2014-12-12 19:25:02 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/626058/
David Walser
2014-12-24 20:22:58 CET
CC:
(none) =>
shlomif David Walser, hi! What am I supposed to do? Which packages should I update? (In reply to Shlomi Fish from comment #1) > David Walser, hi! What am I supposed to do? Which packages should I update? couchdb in Mageia 4. I've already added the patch in SVN, but the package doesn't build. That needs to be fixed. (In reply to David Walser from comment #2) > (In reply to Shlomi Fish from comment #1) > > David Walser, hi! What am I supposed to do? Which packages should I update? > > couchdb in Mageia 4. I've already added the patch in SVN, but the package > doesn't build. That needs to be fixed. Hi, I fixed the build problems (by porting fixes from Cauldron) in couchdb-1.4.0-2.5mga4 in http://pkgsubmit.mageia.org/ . Please test. Regards, -- Shlomi Fish Thanks Shlomi! Advisory: ======================== Updated couchdb packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option (CVE-2010-5312). The embedded copy of jQuery UI in couchdb has been updated to version 1.10.4 to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145767.html ======================== Updated package in core/updates_testing: ======================== couchdb-1.4.0-2.5.mga4 couchdb-bin-1.4.0-2.5.mga4 from couchdb-1.4.0-2.5.mga4.src.rpm Assignee:
tmb =>
qa-bugs (In reply to David Walser from comment #0) > Some other packages that we have that are in RedHat's list are: > dokuwiki, fish, yelp-xsl, mediawiki, python-sphinx, calibre, > python-werkzeug, python-django14, python-django, wordpress, hotot, sagemath, > sparkleshare, wesnoth, libgda, openteacher, ikiwiki, perl-Mojolicious, > zabbix, drupal, spyder RedHat/Fedora have ruled out mediawiki, fish, python-django14, python-django, python-werkzeug, zabbix, spyder, and perl-Mojolicious as being affected. Wordpress version 4 is not, but 3.9 may still be. The hotot package is not fixable and has been retired because it is dead upstream. We do not have sagemath packaged. dokuwiki, fish, yelp-xsl, python-sphinx, calibre, sparkleshare, wesnoth, libgda, openteacher, ikiwiki, drupal, and spyder have not been ruled out yet. MGA4-64 on HP Probook 6555b KDE and MGA4-32 on Acer D620 Xfce. No installation issues. Whiteboard:
(none) =>
MGA4-32-OK MGA4-64-OK It's actually pretty easy to functionally test this one. http://wiki.apache.org/couchdb/CouchIn15Minutes Whiteboard:
MGA4-32-OK MGA4-64-OK =>
has_procedure MGA4-32-OK MGA4-64-OK Ran "Hello World" example on both MGA4-64 and MGA-32. Thanks Herman. Validating. Advisory uploaded. Please push to updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0559.html Status:
NEW =>
RESOLVED |