OpenSuSE has issued an advisory on September 28: http://lists.opensuse.org/opensuse-updates/2014-09/msg00035.html The issue was fixed upstream in 0.6.3. Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
According to the upstream bug, the version in Mageia 3 is definitely also affected. Unfortunately, the patch to fix this is not backportable, so upgrading to 0.6.3 is the only fix. While this works on Mageia 4, it doesn't on Mageia 3 because building geary 0.6.3 requires vala 0.22.1, and Mageia 3 has 0.18.1. Can we update vala?
On Mageia 3, I updated vala locally to 0.22.1 and tried to build geary, and get this error even though libgcr-devel is installed: error: Package `gcr-3' not found in specified Vala API directories or GObject-Introspection GIR directories
Dropping Mageia 3 from the whiteboard due to EOL: http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/ Updated package uploaded for Mageia 4. Advisory: ======================== Updated geary package fixes security vulnerability: Geary before 0.6.3 does not present the user with a warning when a TLS certificate error is detected, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted certificate (CVE-2014-5444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5444 http://lists.opensuse.org/opensuse-updates/2014-09/msg00035.html ======================== Updated packages in core/updates_testing: ======================== geary-0.6.3-1.mga4 from geary-0.6.3-1.mga4.src.rpm
CC: (none) => olavAssignee: olav => qa-bugsWhiteboard: MGA3TOO => (none)
Testing MGA4-64 on HP6555b Installed geary without problems. Was able to connect to my gmail account. Sent an e-mail to other account and received reply back. Seems OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
Testing on Mageia4x32 real hardware From geary-0.4.3-1.mga4.i586 to geary-0.6.3-1.mga4.i586 All OK
CC: (none) => olchalWhiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0500.html
Status: NEW => RESOLVEDResolution: (none) => FIXED