Bug 5046

Summary: [Tracker] Security updates for Mageia 2
Product: Mageia Reporter: Anne Nicolas <ennael1>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: release_blocker CC: guillomovitch, juan.baptiste, luigiwalser
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Anne Nicolas 2012-03-21 21:57:04 CET 
This tracker is about security fixes that should be included before Mageia 2 is out.
Anne Nicolas 2012-03-21 21:57:41 CET

Priority: Normal => release_blocker

Anne Nicolas 2012-03-21 22:13:16 CET

Summary: Security updates for Mageia 2 => [Tracker] Security updates for Mageia 2

David Walser 2012-03-22 03:06:31 CET

CC: (none) => luigiwalser
Depends on: (none) => 5041

Comment 1 David Walser 2012-03-22 03:08:44 CET 
Adding 4563 because if the package isn't updated when upgrading from mdv -> mga1 -> mga2, they won't get subsequent security updates from us for this package until this is fixed.

Depends on: (none) => 4563

David Walser 2012-03-22 03:13:33 CET

Depends on: (none) => 3099

Comment 2 David Walser 2012-03-22 13:58:04 CET 
5041 is now fixed in Cauldron.

Depends on: 5041 => (none)

David Walser 2012-03-23 01:28:38 CET

Depends on: (none) => 5063

David Walser 2012-03-25 23:01:55 CEST

Depends on: (none) => 5108

David Walser 2012-03-27 23:28:09 CEST

Depends on: (none) => 5141

Luc Menut 2012-03-28 23:53:46 CEST

Depends on: (none) => 3101

David Walser 2012-03-29 03:46:38 CEST

Depends on: (none) => 5153

Comment 3 David Walser 2012-03-29 23:23:09 CEST 
5141 is now fixed in Cauldron.

Depends on: 5141 => (none)

David Walser 2012-04-02 18:08:03 CEST

Depends on: (none) => 5169, 5203

David Walser 2012-04-03 01:40:26 CEST

Depends on: (none) => 5208

Comment 4 David Walser 2012-04-03 19:58:45 CEST 
5169 is now fixed in Cauldron.

Depends on: 5169 => (none)

Comment 5 David Walser 2012-04-04 13:00:51 CEST 
5203 is now fixed in Cauldron.

Depends on: 5203 => (none)

Comment 6 David Walser 2012-04-04 18:29:16 CEST 
5208 is now fixed in Cauldron.

Depends on: 5208 => (none)

Comment 7 David Walser 2012-04-06 14:06:58 CEST 
5108 is now fixed in Cauldron.

Depends on: 5108 => (none)

David Walser 2012-04-06 16:58:09 CEST

Depends on: (none) => 5254

David Walser 2012-04-06 17:29:47 CEST

Depends on: (none) => 5255

David Walser 2012-04-06 17:58:00 CEST

Depends on: (none) => 5257

David Walser 2012-04-06 18:44:14 CEST

Depends on: (none) => 5261

David Walser 2012-04-07 03:41:10 CEST

Depends on: 5257 => (none)

Comment 8 David Walser 2012-04-07 05:58:39 CEST 
5255 is now fixed in Cauldron.

Depends on: 5255 => (none)

Comment 9 David Walser 2012-04-08 04:23:06 CEST 
4563 is now fixed in Cauldron.

Depends on: 4563 => (none)

David Walser 2012-04-09 00:40:51 CEST

Depends on: (none) => 5293

David Walser 2012-04-09 05:42:49 CEST

Depends on: (none) => 5300

Comment 10 David Walser 2012-04-09 20:50:47 CEST 
5063 is now fixed in Cauldron.

Depends on: 5063 => (none)

David Walser 2012-04-13 02:45:23 CEST

Depends on: (none) => 5384

David Walser 2012-04-17 02:56:25 CEST

Depends on: (none) => 5432

David Walser 2012-04-18 12:23:19 CEST

Depends on: (none) => 5458

David Walser 2012-04-18 12:33:15 CEST

Depends on: (none) => 5459

Comment 11 David Walser 2012-04-19 02:57:49 CEST 
5261 is now fixed in Cauldron.

Depends on: 5261 => (none)

David Walser 2012-04-19 22:54:24 CEST

Depends on: (none) => 5496

Comment 12 David Walser 2012-04-20 17:22:19 CEST 
5459 is now fixed in Cauldron.

Depends on: 5459 => (none)

Comment 13 David Walser 2012-04-20 18:08:26 CEST 
5432 is now fixed in Cauldron.

Depends on: 5432 => (none)

David Walser 2012-04-20 21:00:12 CEST

Depends on: (none) => 5520

Comment 14 David Walser 2012-04-21 15:46:28 CEST 
3099 is now fixed in Cauldron.

Depends on: 3099 => (none)

Comment 15 David Walser 2012-04-21 19:59:39 CEST 
5458 is now fixed in Cauldron.

Depends on: 5458 => (none)

Comment 16 Guillaume Rousse 2012-04-22 19:44:05 CEST 
3101 is not a mageia 2 release blocker bug, it only affect mageia 1.

CC: (none) => guillomovitch
Depends on: 3101 => (none)

Comment 17 Guillaume Rousse 2012-04-22 20:09:12 CEST 
According to maintainer comment, 5496 is also specific to mageia 1.

Depends on: 5496 => (none)

Comment 18 David Walser 2012-04-22 20:12:57 CEST 
(In reply to comment #17)
> According to maintainer comment, 5496 is also specific to mageia 1.

That has not been verified for all of the affected games, only tremulous.

Depends on: (none) => 5496

Comment 19 Juan Luis Baptiste 2012-04-23 07:43:34 CEST 
(In reply to comment #18)
> (In reply to comment #17)
> > According to maintainer comment, 5496 is also specific to mageia 1.
> 
> That has not been verified for all of the affected games, only tremulous.

That's not what I said. We have the same version of ioquake3 from Fedora, I based the current cauldron ioquake3 package on Fedora's quake3 package. Our version includes the same svn version and the same patches as Fedora. So games like ioquake3, urban terror, world of padman and smokin' guns aren't affected (trusting on Fedora's testing of the fixed ioquake3 source).

CC: (none) => juan.baptiste

Comment 20 David Walser 2012-04-23 11:56:53 CEST 
(In reply to comment #19)
> We have the same version of ioquake3 from Fedora, I
> based the current cauldron ioquake3 package on Fedora's quake3 package. Our
> version includes the same svn version and the same patches as Fedora. So games
> like ioquake3, urban terror, world of padman and smokin' guns aren't affected
> (trusting on Fedora's testing of the fixed ioquake3 source).

What about openarena?
Comment 21 Juan Luis Baptiste 2012-04-23 17:41:15 CEST 
Althought openarena uses the ioquake3 engine, our openarena's package doesn't use this ioquake3 package and includes it's own copy of the engine, so openarena needs to be checked against this bug.


The games that aren't affected in mga 2 because they use the patched version from Fedora are:

- ioquake3
- Urban Terror
- World of Padman
- Smokin' Guns

There's also Turtle Arena, which is also based on a ioquake3 engine fork, so it maybe can be affected by this. I will contact the author and ask him about this.
David Walser 2012-04-23 23:54:30 CEST

Depends on: (none) => 5575

David Walser 2012-04-24 02:13:30 CEST

Depends on: (none) => 5255

David Walser 2012-04-25 12:21:49 CEST

Depends on: 5255 => (none)

Sander Lepik 2012-04-26 20:44:51 CEST

Depends on: (none) => 4476

David Walser 2012-04-26 20:58:26 CEST

Depends on: 5496 => (none)

Comment 22 David Walser 2012-04-27 15:47:41 CEST 
There are more security issues with the Quake 3 engine that are not fixed in the Mageia 2 packages.  Adding Bug 5496 back to the tracker.

Depends on: (none) => 5496

David Walser 2012-05-01 03:23:49 CEST

Depends on: (none) => 5699

David Walser 2012-05-01 05:13:54 CEST

Depends on: (none) => 5701

Comment 23 David Walser 2012-05-01 15:59:45 CEST 
5701 is now fixed in Cauldron.

Depends on: 5701 => (none)

Comment 24 David Walser 2012-05-01 21:36:03 CEST 
5699 is now fixed in Cauldron.

Depends on: 5699 => (none)

David Walser 2012-05-02 03:17:51 CEST

Depends on: (none) => 5714

Comment 25 Guillaume Rousse 2012-05-02 21:11:21 CEST 
5714 is now fixed in Cauldron.

Depends on: 5714 => (none)

Comment 26 David Walser 2012-05-02 21:37:08 CEST 
(In reply to comment #25)
> 5714 is now fixed in Cauldron.

Not yet.  It was submitted, but the build failed.

Depends on: (none) => 5714

Comment 27 David Walser 2012-05-04 16:33:45 CEST 
Linking in 5063 for the newly announced major PHP security issues, see:
https://bugs.mageia.org/show_bug.cgi?id=5063#c18

It allows remote code execution and all kinds of other problems, and it has publicly available exploits, including a metasploit module.

A fix is supposed to be available from upstream soon, we really should try to get it in.

Depends on: (none) => 5063

Anne Nicolas 2012-05-05 09:43:30 CEST

Depends on: 4476, 5063, 5496, 5714, 5153, 5254, 5293, 5300, 5384, 5520, 5575 => (none)

Comment 28 Anne Nicolas 2012-05-05 09:44:32 CEST 
Closing now this tracker as Mageia 2 final release  is very near now
Comment 29 Anne Nicolas 2012-05-05 09:44:50 CEST 
really closing

Status: NEW => RESOLVED
Resolution: (none) => FIXED