| Summary: | php-pear-Horde new security issue fixed upstream in 5.2.8 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED INVALID | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, thomas |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/663319/ | ||
| Whiteboard: | MGA5-64-OK | ||
| Source RPM: | php-pear-Horde-5.1.4-8.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-11-04 19:46:23 CET
Version 5.2.8 is the latest stable Horde Status:
NEW =>
ASSIGNED This bug has been resolved in mga5 and committed in cauldron. I will submit the build after php has been stabilized and php-pear has been updated. The following packages are now in updates_testing: php-pear-Horde-5.2.8-1.mga5.src.rpm php-pear-Horde-5.2.8-1.mga5.noarch.rpm CC:
(none) =>
thomas Thomas, php-pear-Horde still needs to be updated in Cauldron. Are we sure that 5.2.8 has this commit? https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae
David Walser
2015-11-05 18:21:32 CET
Whiteboard:
CAULDRON TOO =>
(none) Oh, sorry I see that you already mentioned Cauldron. The upstream advisory is confusing because of the different version numbers (I guess between the different components): https://www.htbridge.com/advisory/HTB23272 Fedora advisory confirming php-horde 5.2.8 is the right fix: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170692.html from http://lwn.net/Vulnerabilities/663319/
David Walser
2015-11-05 23:22:30 CET
URL:
http://lwn.net/Vulnerabilities/663067/ =>
http://lwn.net/Vulnerabilities/663319/ Looking at this to discover what *is* php-pear-Horde, I am mystified by the description of it in Add/Remove Software (for version 5.1.4-8): "This is now just an empty package that removes and obsoletes all php-pear-horde packages. They (php-pear-horde packages) can be installed individually by the user, using pear-install." Some clarification, please. CC:
(none) =>
lewyssmith yes, you are correct. We probably need to obsolete it in cauldron. I already obsoleted all php-pear-horde packages earlier. If you read on, the installation of the pear packages related to horde is problematic and in many cases breaks the installation. pear-install had all the good intention, but there was a reason why Fedora packaged them. Also, the pear folks didn't provide a lot of help making the rpm with correct deps. They wanted everybody to use pear-install. So I would release this package to be safe as Fedora did.I don't think anybody is still using it. Thanks Thomas.
Testing Mag5 x64
Just to see that the update happens without incident.
But the pre-update installation did not!
# rpm -qa | grep php-pear-Horde
# [i.e. Not installed]
# urpmi php-pear-Horde
$MIRRORLIST: media/core/release/php-pear-Horde-5.1.4-8.mga5.noarch.rpm
gosod php-pear-Horde-5.1.4-8.mga5.noarch.rpm o /var/cache/urpmi/rpms
Paratoi... #############################################
1/1: php-pear-Horde #############################################
install failed
warning: %post(php-pear-Horde-5.1.4-8.mga5.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for php-pear-Horde-5.1.4-8.mga5
# rpm -qa | grep php-pear-Horde
php-pear-Horde-5.1.4-8.mga5
So, despite the warnings and 'failure', it seems to have been installed.
UPDATED from Update Testing repos, using MCC/System Update. No visible problem.
# rpm -qa | grep php-pear-Horde
php-pear-Horde-5.2.8-1.mga5
--------------------------------
As a cross-check, I tried un-installing it then re-installing directly from Updates Testing. Hmm... [tynnu = removing, pecyn = packet]
# urpme php-pear-Horde
tynnu php-pear-Horde-5.2.8-1.mga5.noarch
tynnu pecyn php-pear-Horde-5.2.8-1.mga5.noarch.
1/1: tynnu php-pear-Horde-5.2.8-1.mga5.noarch
#############################################
horde/horde not installed
[?]
# urpmi php-pear-Horde
$MIRRORLIST: media/core/updates_testing/php-pear-Horde-5.2.8-1.mga5.noarch.rpm
gosod php-pear-Horde-5.2.8-1.mga5.noarch.rpm o /var/cache/urpmi/rpms
Paratoi... #############################################
1/1: php-pear-Horde #############################################
install failed
warning: %post(php-pear-Horde-5.2.8-1.mga5.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for php-pear-Horde-5.2.8-1.mga5
# rpm -qa | grep php-pear-Horde
php-pear-Horde-5.2.8-1.mga5
So it throws the same installation error as previously, but seems to get installed.
On the basis of "So I would release this package to be safe", I give it an OK which can be removed if any of the strange things I note matter.Whiteboard:
(none) =>
MGA5-64-OK Thomas, any idea what is causing the %post failure? yes, because it's an empty package. BTW, Fedora retired it early this year. It sounds like the %post could maybe be removed then? I guess, it could. Actually, I wonder if we just should close this bug as invalid. The old version didn't have any files either. (In reply to Thomas Spuhler from comment #12) > I guess, it could. > Actually, I wonder if we just should close this bug as invalid. The old > version didn't have any files either. Yeah, if this update doesn't actually "fix" anything since it's a fake package, it should be INVALID. Done. I just obsoleted it in cauldron (task-obsolete) Sorry, I didn't remember this and made qa folks working on it. Status:
ASSIGNED =>
RESOLVED No problem. We have improved Mageia quality :) |