Bug 9532

Summary: gnome-online-accounts new security issue CVE-2013-1799
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, jani.valimaa, olav
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/544356/
Whiteboard:
Source RPM: gnome-online-accounts-3.6.2-5.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-03-25 21:50:52 CET 
Ubuntu has issued an advisory today (March 25):
http://www.ubuntu.com/usn/usn-1779-1/

I don't think they actually fixed this CVE in 3.4.0 (Ubuntu 12.04 LTS), as they only have a patch for CVE-2013-0240, and it's the same patch we used in our previous update.  It's possible that this particular CVE doesn't affect 3.4.x.

For 3.6.x, it's fixed upstream in 3.6.3.  See below.

References:
https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg305138.html
https://bugzilla.gnome.org/show_bug.cgi?id=695106

Reproducible: 

Steps to Reproduce:
David Walser 2013-03-25 21:51:26 CET

CC: (none) => fundawang, jani.valimaa, olav

Comment 1 Jani Välimaa 2013-04-01 12:01:22 CEST 
We already have 3.6.3, it was pushed almost a month ago.
Comment 2 David Walser 2013-04-01 12:06:49 CEST 
Oops, sorry, and thanks.  Debian says only 3.6.x and 3.7.x is affected.

Status: NEW => RESOLVED
Resolution: (none) => INVALID