Fedora has issued an advisory on December 12: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125143.html This issue has been known for a while, and given that it requires upgrading the library from 1.11.2 to the 1.12 branch (which is still only at RC stage), I'd think we can hold off on this until 1.12 goes final and it can be properly QA tested after Mageia 4 is out. Hopefully the library major doesn't change, but if it does we'll have to rebuild some packages (kadu, perl-Nat-Gadu, kdenetwork4, and ekg2). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
CC: (none) => fundawang, n54
Whiteboard: MGA3TOO => MGA4TOO, MGA3TOO
1.12.0 final is now out and it doesn't change the library major, so that's good. It has a build-time test suite (make check) which fails when built with gnutls support (which we do) on the "connect" test saying buffer overflow detected.
libgadu-1.12.0-1.mga5 uploaded for Cauldron (with out make check) by diogenese. The make check has been added in SVN, we'll see if it builds on the build system when it's pushed again...
CC: (none) => warrendiogeneseVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Updated packages uploaded for Mageia 3 and Mageia 4. The RedHat bug mentions OpenSSL, but Fedora's package is built with gnutls, not OpenSSL, same as ours. Looking at the code commits they linked, it doesn't look like the issue is only when using OpenSSL. Advisory: ======================== Updated libgadu packages fix security vulnerability: Libgadu before 1.12.0 was found to not be performing SSL certificate validation (CVE-2013-4488). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4488 https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125143.html ======================== Updated packages in core/updates_testing: ======================== libgadu3-1.12.0-1.mga3 libgadu-devel-1.12.0-1.mga3 libgadu3-1.12.0-1.mga4 libgadu-devel-1.12.0-1.mga4 from SRPMS: libgadu-1.12.0-1.mga3.src.rpm libgadu-1.12.0-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12709
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing MGA4 64 Just testing that the lib installs and is correctly loaded by the ekg2 client. # urpmi lib64gadu3 --search-media "Updates Testing" # urpmi ekg2 then $ strace -o strace.out ekg2 # then type "quit" and then press enter $ grep libgadu strace.out open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 Testing complete.
CC: (none) => stormiWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: libgadu3 ekg2 default install of libgadu3 & ekg2 [root@localhost wilcal]# urpmi libgadu3 Package libgadu3-1.11.4-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-8.mga3.i586 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 install libgadu3 from updates_testing [root@localhost wilcal]# urpmi libgadu3 Package libgadu3-1.12.0-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-8.mga3.i586 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: lib64gadu3 ekg2 default install of lib64gadu3 & ekg2 [root@localhost wilcal]# urpmi lib64gadu3 Package lib64gadu3-1.11.4-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-8.mga3.x86_64 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 install lib64gadu3 from updates_testing [root@localhost wilcal]# urpmi lib64gadu3 Package lib64gadu3-1.12.0-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-8.mga3.x86_64 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: libgadu3 ekg2 default install of libgadu3 & ekg2 [root@localhost wilcal]# urpmi libgadu3 Package libgadu3-1.11.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-10.mga4.i586 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 install libgadu3 from updates_testing [root@localhost wilcal]# urpmi libgadu3 Package libgadu3-1.12.0-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi ekg2 Package ekg2-0.3.1-10.mga4.i586 is already installed [wilcal@localhost ~]$ strace -o strace.out ekg2 EKG2 launches Quit EKG2 [wilcal@localhost ~]$ grep libgadu strace.out open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0375.html
Status: NEW => RESOLVEDResolution: (none) => FIXED