A security issue in yum-cron was made public by RedHat here: http://openwall.com/lists/oss-security/2014/01/23/7 It was fixed by syncing with upstream in version control in this commit: http://pkgs.fedoraproject.org/cgit/yum.git/commit/?h=f20&id=e4412a50b76e7cd9233224baf20fcdc8f2bf9d3c There are a couple more commits since then: http://pkgs.fedoraproject.org/cgit/yum.git/log/?h=f20 Reproducible: Steps to Reproduce:
CC: (none) => bruno, cazzaniga.sandro, thierry.vignaudWhiteboard: (none) => MGA3TOO
Is it really time to fix it? We are very near from Mageia 4. Maybe when cauldron will reopen ? What do you think ?
Since yum isn't our default package manager, I don't think it's urgent to fix this. It can wait until after Mageia 4.
I take this bug and I'll fix it then, so.
Assignee: bugsquad => cazzaniga.sandro
Cauldron is opening again, let's fix it now ! :)
Status: NEW => ASSIGNED
I've found this fix [1], but there's no yum-cron.py in our yum src rpm. [1] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
Indeed, yum-cron.py is introduced by yum-HEAD.patch, which we do not have. This is INVALID.
Status: ASSIGNED => RESOLVEDResolution: (none) => INVALID
URL: (none) => http://lwn.net/Vulnerabilities/607642/