Bug 30901

Summary: gajim new security issue CVE-2022-39835
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Sander Lepik <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero, yvesbrungard
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: gajim-1.3.3-1.mga8.src.rpm CVE:
Status comment: Fixed upstream in 1.5.1

Description David Walser 2022-09-27 00:34:21 CEST 
Fedora has issued an advisory on September 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65HAXFJCJPZ47ZQEJJ7OJFJ2IO3QASZP/

The issue is fixed upstream in 1.5.1:
https://dev.gajim.org/gajim/gajim/-/blob/master/ChangeLog

They updated python-nbxmpp to 3.2.2 as part of this update, so we should in Cauldron as well:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB75YVTGSPOTY7JRCRSDEVW35QSHX4N/

I'm not sure if that's needed to fully fix the CVE.

Mageia 8 is also affected.
David Walser 2022-09-27 00:34:40 CEST

Status comment: (none) => Fixed upstream in 1.5.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-09-28 19:42:38 CEST 
Assigning to the registered maintainer Sander.

Assignee: bugsquad => mageia

Nicolas Salguero 2023-03-13 15:19:13 CET

Source RPM: gajim-1.4.2-1.mga9.src.rpm => gajim-1.3.3-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Comment 2 papoteur 2023-08-16 14:27:37 CEST 
After gajim 1.3.3, Python version should be 3.9+, that we don't have in Mageia 8.
I didn't identify the commit(s) related to fixing CVE-2022-39835 vulnerability. All that is said is that 1.5.0 fixes the vulnerability. I think we won't fix that.

CC: (none) => yvesbrungard

Comment 3 Nicolas Salguero 2024-01-12 10:22:43 CET 
Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD