Bug 23846

Summary: kdeconnect-kde new minor security issue fixed upstream in 1.3.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, geiger.david68210, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: kdeconnect-kde-1.0.3-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-11-16 00:10:13 CET 
Upstream has released 1.3.3 with a security fix (from 1.3.2) on November 10:
https://mail.kde.org/pipermail/kde-announce-apps/2018-November/005484.html

Fedora has issued an advisory for this today (November 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EJOQBE3EJLY5Q7E33MXKBWG4PHSFIN7X/

Cauldron has already been updated but Mageia 6 should probably be also.
Comment 1 David GEIGER 2018-11-16 07:24:47 CET 
Done for mga6!
Comment 2 David Walser 2018-11-16 14:33:49 CET 
Advisory:
========================

Updated kdeconnect-kde packages fix security vulnerability:

The kdeconnect-kde package has been updated to version 1.3.3, which fixes an
issue with modern encryption algorithms being disabled with SSH, and also fixes
several bugs and updates compatibility with the Android app.

References:
https://mail.kde.org/pipermail/kde-announce-apps/2018-November/005484.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EJOQBE3EJLY5Q7E33MXKBWG4PHSFIN7X/
========================

Updated packages in core/updates_testing:
========================
kdeconnect-kde-1.3.3-1.mga6
kdeconnect-kde-handbook-1.3.3-1.mga6
kdeconnect-kde-nautilus-1.3.3-1.mga6
libkdeconnectcore1-1.3.3-1.mga6
libkdeconnectinterfaces1-1.3.3-1.mga6
libkdeconnectpluginkcm1-1.3.3-1.mga6

from kdeconnect-kde-1.3.3-1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Morgan Leijström 2018-11-16 18:12:56 CET 
Tests running mga6 64 Plasma on my desktop fully updated to all updates_testing, reboot: Connection OK to my FairPhone2 running shipped Andriod + current updates and kdeconnect app, and:
 
a) OK: Shows battery status

b) OK: folder access; i click folder icon in kdeconnect -> Dolphin launched and i can browse my phone. 

c) OK: Music player control; On desktop i launch Spotify, play music and on my phone then there appear a control panel for music, i can pause and unpause.

d) half OK: I can press a button in kdeConnect to make phone ring. The button have the correct popup name in swedish when i hoover mouse pointer over it, but the button is a plain square, i think it should contain an icon? 

...it have a few more functions i have not tested yet, gotta go now.

CC: (none) => fri

Comment 4 Morgan Leijström 2018-11-16 19:52:15 CET 
From kdeconnect on phone i can 

e) control the computer pointer and enter text.

f) control spotify in full screen

g) send file ( appears in ~/Downloads )

h) execute user defined shell command
Comment 5 Thomas Andrews 2018-11-29 01:57:13 CET 
Looks to me like it was OK for you, Morgan. I tried to make it work, but it appears that I need a detailed tutorial with words of no more than two syllables before I will get anything to pair. 

I shall give this the OK and validate, based on Morgan's tests. I'm sure my failure was due to me, and not the app.

Advisory in comment 2.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Lewis Smith 2018-12-01 20:36:10 CET 
Advisoried from c2; no CVE yet.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 7 Mageia Robot 2018-12-01 22:39:57 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0473.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED