| Summary: | virtuoso-opensource multiple security issues fixed upstream in 7.2.0 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lmenut, mageia, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/650633/ | ||
| Whiteboard: | MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisory | ||
| Source RPM: | virtuoso-opensource-6.1.6-7.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 14674 | ||
|
Description
David Walser
2015-05-05 18:40:37 CEST
David Walser
2015-05-05 18:40:51 CEST
CC:
(none) =>
lmenut Hum, we should be careful with this update. Most of distrib still use virtuoso-opensource 6.1.6 because 6.1.7 has a regression which break things in KDE. I don't know if this was fixed in 6.1.8 or not. But Fedora and OpenSUSE still use virtuoso-opensource 6.1.6, and they don't have push security fix for now. https://mail.kde.org/pipermail/release-team/2013-August/007313.html -------- Message transféré -------- Sujet : Regression with Virtuoso 6.1.7 Date : Thu, 29 Aug 2013 20:33:28 +0530 De : Vishesh Handa <me@vhanda.in> Répondre à : KDE release coordination <release-team@kde.org> Pour : KDE release coordination <release-team@kde.org>, kde-packagers@kde.org Hey guys Please do not ship virtuoso 6.1.7 with KDE 4.11. It contains a regression which breaks ratings and maybe many more things. I'm in contact with the virtuoso team, and hopefully they will fix it soon. Fixing this from our end would require a big change in Soprano and many parts of Nepomuk. This is not something we want to do. @Release team: Do you think I should explicitly block 6.1.7 on a Nepomuk level? I would just need to revert 0e01d5b5 from nepomuk-core. -- Vishesh Handa Yes, we know. I already knew about the regression in 6.1.7 and talked to Nicolas about this on IRC. This is why we didn't push this update at the time I filed this. We'll have to test it carefully. Sounds like 6.1.8 should be safe: https://mail.kde.org/pipermail/nepomuk/2013-December/004854.html 7.1.0 is not though, it drops supports for i586, but Frugalware had skipped 6.1.7 like everyone else, but did go back to 6.1.8 after trying 7.x: http://www4.frugalware.org/pub/linux/distributions/frugalware/frugalware-2.0/source/apps/virtuoso/Changelog I've checked the update into SVN for Mageia 4, Mageia 5, and Cauldron, but not pushed to the build system yet. I was going to try to run the nepomuk-core test suite like the upstream mailing list reference I posted said, but I can't figure out how to run it. I figured out how to run the nepomuk-core test suite. Check out nepomuk-core from SVN: mgarepo co -d 4 nepomuk-core Build it locally: cd nepomuk-core bm -ls (as root) urpmi SRPMS/nepomuk-core-4.12.5-1.mga4.src.rpm bm -l Run test suite: cd BUILD/nepomuk-core-4.12.5 cd build/autotests; ctest -VV With virtuoso-opensource 6.1.6: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 417.31 sec With virtuoso-opensource 6.1.8: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 484.30 sec Correction to the test procedure. Had to have virtuoso-opensource, nepomuk-core, and x11-server-xvfb installed. Run test suite: cd BUILD/nepomuk-core-4.12.5 cd build/autotests cd lib/tools source runNepomukTest.sh (this killed my shell) (new shell session) cd nepomuk-core/BUILD/nepomuk-core-4.12.5/build/autotests ctest -VV Mageia 5, it's 4.14.3 instead of 4.12.5. With virtuoso-opensource 6.1.6: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 460.72 sec With virtuoso-opensource 6.1.8: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 471.97 sec Just in case there's any concern over the times, I ran it again on mga4: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 431.43 sec Also, I don't know if the runNepomukTest.sh was needed, and I had also done source nepomuk-sandbox-begin.sh in that same directory, and don't know if that was needed. I guess I fiddled a bit, but I got it to run and have run several successful tests on Mageia 4 and Mageia 5 i586. Version:
Cauldron =>
5 Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. I have run successful tests, see the previous comments for how. Advisory: ======================== Updated virtuoso-opensource packages fix security vulnerabilities: The virtuoso-opensource package has been updated to version 6.1.8 and two additional upstream patches from versions 7.1.0 and 7.2.0 with additional fixes for unspecified security issues have been added. References: http://openwall.com/lists/oss-security/2015/05/05/12 http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews2013 http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews ======================== Updated packages in core/updates_testing: ======================== virtuoso-opensource-6.1.8-1.mga4 virtuoso-opensource-applications-6.1.8-1.mga4 virtuoso-opensource-jars-6.1.8-1.mga4 virtuoso-opensource-6.1.8-1.mga5 virtuoso-opensource-applications-6.1.8-1.mga5 virtuoso-opensource-jars-6.1.8-1.mga5 from SRPMS: virtuoso-opensource-6.1.8-1.mga4.src.rpm virtuoso-opensource-6.1.8-1.mga5.src.rpm CC:
(none) =>
mageia Advisory committed to svn, and update validated. Someone from the sysadmin team please push 15853.adv to updats. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0269.html Status:
NEW =>
RESOLVED
David Walser
2015-07-09 19:04:31 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/650633/ |