Bug 27824

Summary: php-oojs-oojs-ui should be dropped (or updated, but probably dropped)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: php-oojs-oojs-ui-0.17.10-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-12-15 01:21:54 CET 
Fedora has issued an advisory today (December 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/

I don't know why we imported this package, as we never unbundled it from mediawiki, and nothing else uses it.

If it needs to be kept for some reason, it should be updated to 0.39.3, as in Fedora, to pick up the latest fixes from mediawiki / upstream.

Mageia 7 is also affected.
David Walser 2020-12-15 01:22:04 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => geiger.david68210

Comment 1 Nicolas Lécureuil 2020-12-25 22:05:03 CET 
fixed in cauldron

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2020-12-25 22:42:07 CET 
new package in mga7

src:
    php-oojs-oojs-ui-0.41.0-1.mga7

Assignee: mageia => qa-bugs

Comment 3 David Walser 2020-12-26 16:52:25 CET 
Nicolas, did you determine why this package was imported or if we can drop it?

CC: (none) => mageia

Comment 4 David Walser 2020-12-26 16:56:28 CET 
Advisory:
----------------------------------------

The php-oojs-oojs-ui package has been updated to version 0.41.0 to pick up all
of the latest fixes from upstream mediawiki.

References:
https://gerrit.wikimedia.org/r/plugins/gitiles/oojs/ui/+/refs/tags/v0.41.0/History.md
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
php-oojs-oojs-ui-0.41.0-1.mga7

from php-oojs-oojs-ui-0.41.0-1.mga7.src.rpm

QA Contact: security => (none)
Component: Security => RPM Packages

Comment 5 Marc Krämer 2021-01-09 12:11:01 CET 
is there a decission why not to drop it from cauldron?

CC: (none) => mageia

Comment 6 David Walser 2021-01-09 16:23:37 CET 
It was dropped.
Comment 7 Thomas Andrews 2021-01-21 20:10:55 CET 
No installation issues. Based on the above discussion, that should be sufficient for this one.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 8 Aurelien Oudelet 2021-01-22 16:26:59 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
QA Contact: (none) => security
Source RPM: php-oojs-oojs-ui-0.34.1-1.mga8.src.rpm => php-oojs-oojs-ui-0.17.10-3.mga7.src.rpm
CC: (none) => ouaurelien
Component: RPM Packages => Security

Comment 9 Mageia Robot 2021-01-23 00:51:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0050.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED