Bug 26226

Summary: inn new security issue CVE-2019-3692
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: inn-2.6.3-2.mga8.src.rpm CVE:
Status comment: Fix described in bug report

Description David Walser 2020-02-20 21:18:04 CET 
openSUSE has issued an advisory today (February 20):
https://lists.opensuse.org/opensuse-updates/2020-02/msg00083.html

We do have protected_hardlinks set, so we don't need to push an update for Mageia 7, but we should fix it in SVN there and fix Cauldron the same way openSUSE did.

Basically they got rid of the chown calls in post and instead of doing the touch as root, did "runuser -u news -g news touch ..." with the files at the end.
David Walser 2020-02-21 17:57:01 CET

Status comment: (none) => Fix described in bug report

Comment 1 Lewis Smith 2020-02-22 19:07:19 CET 
In the absence of an obvious maintainer for this package, assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2020-12-27 15:39:12 CET 
fixed in cauldron

Resolution: (none) => FIXED
CC: (none) => mageia
Status: NEW => RESOLVED