Bug 26715

Summary: perl new security issues CVE-2020-10543, CVE-2020-10878 and CVE-2020-12723 (also update to 5.28.3)
Product: Mageia Reporter: Thierry Vignaud <thierry.vignaud>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, lewyssmith, luigiwalser, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: perl-5.28.2-2.mga7.src.rpm CVE:
Status comment:

Description Thierry Vignaud 2020-06-02 16:39:59 CEST 
Advisory:
==========
This update from 5.28.2 to 5.28.3 fixes bugs several bugs the RPM package manager.
- Update to 5.23.3 (See https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod for release notes)
- Security release fixes CVE-2020-10543, CVE-2020-10878 and CVE-2020-12723
- Work around a glibc bug in caching LC_MESSAGES (GH#17081)
- Fix POSIX:setlocale() documentation
- Prevent from an integer overflow in POSIX::SigSet()
- Fix thread-safety of IO::Handle (GH#14816)
- Close :unix PerlIO layers properly (bug #987118)
- Fix counting a recursion limit when matching in a postponed eval (GH#17490)
- Fix sorting tied arrays (GH#17496)
- Fix a spurious warning about a multidimensional syntax (GH#16535)
- Normalize "#!/perl" shebangs in the tests
- Fix a warning about an uninitialized value in B::Deparse (GH#17537)
- Fix Time-Local tests to pass after year 2019 (CPAN RT#124787)

List of generated packages:
=============================
perl-5.28.3-2.mga7.i586.rpm
perl-base-5.28.3-2.mga7.i586.rpm
perl-devel-5.28.3-2.mga7.i586.rpm
perl-doc-5.28.3-2.mga7.noarch.rpm
perl-debugsource-5.28.3-2.mga7.i586.rpm
perl-debuginfo-5.28.3-2.mga7.i586.rpm
perl-base-debuginfo-5.28.3-2.mga7.i586.rpm

(s/lib64/lib/ + s/x86_64/i586/ for i586)
(likewas for armv7 vs aarch64)
Comment 1 Lewis Smith 2020-06-02 21:24:53 CEST 
Several questions:
- Why is the package list just for i586?
- Why are they for Perl rather than the SRPM cited 'rpm'? Should the latter be changed to, or have added, 'perl'?
- For the Advisory, which SRPM/s is/are the one/s that matter/s?
- Whatever the package list really is, are they in updates/testing for QA?
Comment 2 Nicolas Lécureuil 2020-06-02 22:42:12 CEST 
List of generated packages:
=============================
perl-5.28.3-2.mga7
perl-base-5.28.3-2.mga7
perl-devel-5.28.3-2.mga7
perl-doc-5.28.3-2.mga7
perl-debugsource-5.28.3-2.mga7
perl-debuginfo-5.28.3-2.mga7
perl-base-debuginfo-5.28.3-2.mga7


from:  perl-5.28.3-2.mga7.src.rpm
Comment 3 David Walser 2020-06-02 23:42:06 CEST 
Lewis, just ignore the arch part.  As for the rest, it's because for some reason Thierry keeps making new bugs by cloning old ones instead of just making a fresh new bug.

Component: RPM Packages => Security
QA Contact: (none) => security
CC: andrewsfarm, fri, herman.viaene, qa-bugs, sysadmin-bugs, tmb, wilcal.int => (none)
Source RPM: rpm-4.14.3-1.mga7..src.rpm => perl-5.28.2-2.mga7.src.rpm
Keywords: advisory, validated_update => (none)

David Walser 2020-06-02 23:42:36 CEST

Depends on: 19710, 26576 => (none)
Assignee: bugsquad => qa-bugs

David Walser 2020-06-02 23:43:22 CEST

Summary: Update candidate: perl => perl new security issues fixes CVE-2020-10543, CVE-2020-10878 and CVE-2020-12723 (also update to 5.28.3)

David Walser 2020-06-02 23:43:29 CEST

Summary: perl new security issues fixes CVE-2020-10543, CVE-2020-10878 and CVE-2020-12723 (also update to 5.28.3) => perl new security issues CVE-2020-10543, CVE-2020-10878 and CVE-2020-12723 (also update to 5.28.3)

Comment 4 David Walser 2020-06-02 23:57:04 CEST 
Please don't list debug* packages for QA, it just creates confusion.
Comment 5 Thierry Vignaud 2020-06-03 00:59:10 CEST 
I though that was needed for the push from core/updates_testing into core/updates
Comment 6 Herman Viaene 2020-06-03 14:15:54 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Following Len's lead in bug 25980, installed Frozen Bubble using gurmpi (why specifically that?).
Played and won one level!!!!!!
So OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Nicolas Lécureuil 2020-06-03 16:26:55 CEST 
(In reply to Thierry Vignaud from comment #5)
> I though that was needed for the push from core/updates_testing into
> core/updates

no need because the script that upload uses the src.rpm names.

The name of the rpms are needed for QA team to know what to install.


But thank you for the update :)
Comment 8 Thomas Andrews 2020-06-05 13:31:47 CEST 
Careful Herman, Frozen Bubble can be addictive...

Validating. Advisory in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-11 01:26:21 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-06-11 02:00:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0255.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED