Bug 31726

Summary: dino new security issue CVE-2023-28686
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dino-0.2.0-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-03-24 13:17:41 CET 
Upstream has issued an advisory on March 23:
https://dino.im/security/cve-2023-28686/

The issue is fixed upstream in 0.2.3 and 0.4.2.

Mageia 8 is also affected.
David Walser 2023-03-24 13:17:58 CET

Status comment: (none) => Fixed upstream in 0.2.3 and 0.4.2
CC: (none) => mageia
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-03-24 15:59:42 CET 
Done for both mga8 and Cauldron!

Assigning to QA.

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 0.2.3 and 0.4.2 => (none)
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 8

Comment 2 David Walser 2023-03-25 01:25:08 CET 
dino-0.2.3-1.mga8

from dino-0.2.3-1.mga8.src.rpm


Note that Cauldron is still awaiting a freeze move.

CC: (none) => geiger.david68210
Source RPM: dino-0.4.1-1.mga9.src.rpm => dino-0.2.0-1.1.mga8.src.rpm

Comment 3 Len Lawrence 2023-03-25 19:39:21 CET 
mga8, x64

Installed dino and tried it out, launched from the command line.  It seems like a chat room service.  $ dino launches an interface where you can sign on.  Successfully created a user account and logged off.

Installed the update package and ran dino again.  Looked at the help options and visited the home site where it is described as a chat client.  Logged in OK in the terminal but did not know where to go from there.

Seems to work as far as access is concerned.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-03-25 20:11:41 CET 
I was just researching it, learning it's an XMPP chat client. 

I'm not much of a chatterer these days, but I was going to try it anyway. I'm just as happy that you beat me to it. 

Herman tested the last update, bug 29329, doing essentially the same thing you did, so your test should indeed be sufficient.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-29 15:17:21 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 David Walser 2023-03-30 22:40:49 CEST 
Debian has issued an advisory for this on March 27:
https://www.debian.org/security/2023/dsa-5379
Comment 6 Mageia Robot 2023-03-31 02:15:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0122.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED