13263 – syncevolution new security issue CVE-2014-1639

Bug 13263 - syncevolution new security issue CVE-2014-1639

Summary: syncevolution new security issue CVE-2014-1639

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Olivier Blin
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/595996/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-24 20:04 CEST by David Walser
Modified:	2014-05-18 16:21 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	syncevolution-1.3.2-7.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-04-24 20:04:25 CEST

Fedora has issued an advisory on April 15:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132092.html

The issue is fixed upstream in 1.4 (newest version is 1.4.1).

Note that while Mageia 3 and Mageia 4 are affected, it only affects people *building* the package, as the vulnerable script is not a part of the shipped package, so I don't think it's necessary to do an update for stable releases for this; fixing it in Cauldron should be sufficient.

Reproducible: 

Steps to Reproduce:

David Walser 2014-04-24 20:04:40 CEST

CC: (none) => fundawang

Comment 1 David Walser 2014-05-18 16:21:36 CEST

Fixed in syncevolution-1.4.1-2.mga5 by rindolf and roelof.

Status: NEW => RESOLVED
CC: (none) => r.wobben, rwobben, shlomif
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.