A CVE has been assigned for a security issue fixed upstream in 9.20: http://openwall.com/lists/oss-security/2014/05/01/8 There are more details in the CVE request: http://openwall.com/lists/oss-security/2014/04/30/6 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => shikamaruWhiteboard: (none) => MGA4TOO, MGA3TOO
fixed in cauldron, and an update has been submitted to updates_testing. I tested the package myself, for me it can be pushed into updates. Hope I did this right, if itâs the case Iâll also push it to 3. Regards, Rémy
Thanks. Not that it's a problem, but typically we don't use 0.1 for the release tag. If you're updating it to 9.20, a release tag of 1 in all releases works fine, and that's how we normally do it.
CC: shikamaru => dirteatVersion: Cauldron => 4Assignee: dirteat => shikamaruWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Oops, sorry I thought it would have been 0.1 for updates-testing, because if it wasnât good and I would have to rebuild the version in 4 would have been higher than the one in cauldron. Shall I resubmit to 1 in mga4 and submit it that way to mga3 ?
Version: 4 => Cauldron
If the 0.1 build in mga4 looks good for you, then yes, you could bump it to 1 and rebuild (don't forget to remove the subrel) and push to mga3. You are correct that if a problem was found and it needed to be rebuilt, it'd then be 1.1 in mga4, but since it's the same version in Cauldron, it'd likely need to be fixed there for the same reason anyway, so it'd then be 2 there and the release tag would not be an issue.
Version: Cauldron => 4
Thanks for your feedback, submitted 9.20-1 to both mga3 and mga4 in updates_testing
Status: NEW => RESOLVEDVersion: 4 => CauldronResolution: (none) => FIXED
Status: RESOLVED => REOPENEDVersion: Cauldron => 4Resolution: FIXED => (none)
Version: 4 => CauldronAssignee: shikamaru => qa-bugs
Thanks. Assigning to the QA team now so that the update candidate can be tested and released. Advisory: ======================== Updated rxvt-unicode package fixes security vulnerability: rxvt-unicode (aka urxvt) before 9.20 is vulnerable to a user-assisted arbitrary commands execution issue. This can be exploited by the unprocessed display of certain escape sequences in a crafted text file or program output. Arbitrary command sequences can be constructed using this, and unintentionally executed if used in conjunction with various other escape sequences (CVE-2014-3121). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3121 http://dist.schmorp.de/rxvt-unicode/Changes http://openwall.com/lists/oss-security/2014/05/01/8 ======================== Updated packages in core/updates_testing: ======================== rxvt-unicode-9.20-1.mga3 rxvt-unicode-9.20-1.mga4 from SRPMS: rxvt-unicode-9.20-1.mga3.src.rpm rxvt-unicode-9.20-1.mga4.src.rpm
CC: (none) => shikamaruVersion: Cauldron => 4
Testing complete mga4 64 PoC from http://seclists.org/oss-sec/2014/q2/204 $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x"; Before ------ gives output showing the window title. ^[]3;urxvt^G $'\E]3;urxvt' Tip: highlight & then paste with middle mouse click. After ----- echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x"; ^[]3;^G $'\E]3;'
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32 Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-okCC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Update pushed: http://advisories.mageia.org/MGASA-2014-0202.html
Status: REOPENED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
thanks !
URL: (none) => http://lwn.net/Vulnerabilities/597338/