Advisory Text ============= The versions of MythTV included in Mageia 3 and 4 are vulnerable to SSDP Reflection attacks. This update includes a fix to prevent such use by disabling SSDP device discovery from non-local addresses. Additionally, Schedules Direct users will now be able to make continued use of the service from 1st November when the current URL will be fully deprecated upstream. Source RPMs: mythtv-0.27.4-20141022.1.mga3 mythtv-0.27.4-20141022.1.mga3.tainted mythtv-mythweb-0.27.4-1.mga3 mythtv-0.27.4-20141022.1.mga4 mythtv-0.27.4-20141022.1.mga4.tainted mythtv-mythweb-0.27.4-1.mga4 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Note to anyone testing, the mythtv-mythweb part of the update is purely cosmetic. It's not actually changed since 0.27.1 upstream.
Assignee: bugsquad => qa-bugs
RPMs Mageia 3: lib64myth0.27-0.27.4-20141022.1.mga3.x86_64.rpm lib64myth-devel-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-backend-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-common-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-doc-0.27.4-20141022.1.mga3.noarch.rpm mythtv-frontend-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-archive-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-browser-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-gallery-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-game-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-music-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-netvision-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-news-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-weather-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-plugin-zoneminder-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-setup-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-themes-base-0.27.4-20141022.1.mga3.noarch.rpm perl-MythTV-0.27.4-20141022.1.mga3.x86_64.rpm php-mythtv-0.27.4-20141022.1.mga3.noarch.rpm python-mythtv-0.27.4-20141022.1.mga3.x86_64.rpm mythtv-mythweb-0.27.4-1.mga3.noarch.rpm Mageia 3 (Tainted): lib64myth0.27-0.27.4-20141022.1.mga3.tainted.x86_64.rpm lib64myth-devel-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-backend-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-common-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-doc-0.27.4-20141022.1.mga3.tainted.noarch.rpm mythtv-frontend-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-archive-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-browser-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-gallery-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-game-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-music-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-netvision-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-news-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-weather-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-plugin-zoneminder-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-setup-0.27.4-20141022.1.mga3.tainted.x86_64.rpm mythtv-themes-base-0.27.4-20141022.1.mga3.tainted.noarch.rpm perl-MythTV-0.27.4-20141022.1.mga3.tainted.x86_64.rpm php-mythtv-0.27.4-20141022.1.mga3.tainted.noarch.rpm python-mythtv-0.27.4-20141022.1.mga3.tainted.x86_64.rpm Mageia 4: lib64myth0.27-0.27.4-20141022.1.mga4.x86_64.rpm lib64myth-devel-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-backend-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-common-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-doc-0.27.4-20141022.1.mga4.noarch.rpm mythtv-frontend-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-archive-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-browser-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-gallery-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-game-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-music-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-netvision-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-news-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-weather-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-plugin-zoneminder-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-setup-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-themes-base-0.27.4-20141022.1.mga4.noarch.rpm perl-MythTV-0.27.4-20141022.1.mga4.x86_64.rpm php-mythtv-0.27.4-20141022.1.mga4.noarch.rpm python-mythtv-0.27.4-20141022.1.mga4.x86_64.rpm mythtv-mythweb-0.27.4-1.mga4.noarch.rpm Mageia 4 (Tainted): lib64myth0.27-0.27.4-20141022.1.mga4.tainted.x86_64.rpm lib64myth-devel-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-backend-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-common-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-doc-0.27.4-20141022.1.mga4.tainted.noarch.rpm mythtv-frontend-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-archive-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-browser-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-gallery-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-game-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-music-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-netvision-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-news-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-weather-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-plugin-zoneminder-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-setup-0.27.4-20141022.1.mga4.tainted.x86_64.rpm mythtv-themes-base-0.27.4-20141022.1.mga4.tainted.noarch.rpm perl-MythTV-0.27.4-20141022.1.mga4.tainted.x86_64.rpm php-mythtv-0.27.4-20141022.1.mga4.tainted.noarch.rpm python-mythtv-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
Tested backend and frontend on a 64 bit KDE install for mageia 4 and Cauldron. Enable testing media for my mga4 install. It was taking forever to attempt to disable ~500 rpm packages to just test mythtv changes. Talked to $DEITY about it, aborted drakrpm-update. Ran urpmi --auto --auto-update which installed 530 packages from Testing and tainted. Rebooted. Test procedure: To force new schedule location I added the following to /etc/hosts 54.85.117.227 docs.tms.tribune.com webservices.schedulesdirect.tmsdatadirect.com Re-selected schedules direct in mythtv-setup. Deleted all channels, re-scanned, list. refilled schedule table with mythfilldatabase --dd-grab-all Machine status showed only 13 days of schedules which is correct. Original schedule source has 16 days of data. PS: ran my desktop application regression test script which tested 394 desktop files. I tagged 7 failures. Majority already failed on Cauldron and I did create bug reports for them. New kernel and fglrx driver works without problem.
CC: (none) => junknospam
Sounds like a good Uber test :) Will test my own MythTV system tonight when I get home.
Tested tainted build on MGA4 but it fails with an error related to VPX library. Seems the VPX lib is also in updates_testing repos, and thus we either need to rebuild mythtv without it, or include it in the same update. Either way, I will need to submit a new build with appropriate deps :( Does anyone know which update needs the libvpx version bump from 1.2 > 1.3?
FAO Bit Twister: When testing in older distros we generally recommend NOT taking all proposed updates from the update_testing repo. Some (as they are for testing) will never see the light of day and may be removed leaving your system with an unsupported package installed. In this case we might have pushed mythtv without pushing libvpx too thus breaking things.
Thank you for for the reminder, but bug 14351 was keeping me from just selecting the myth packages and if it did not work by me just using urpmi I would not have known if it was me or a missing dependency. Now that bug 14353 has been cleared I can rsync /hotbu/ /mga4 and test just your update. I really wanted to make sure I was not going to be broke on November 1. Based on your Comment 5, I'll stick with a Testing "Production" environment. I'll restore my mga4 test bed node to official and wait for your next update.
OK, so the libvpx update is now pushed as part of the Thunderbird/Firefox update, so no need to rebuild anything :) I've installed mythtv on my Mageia 4 install. I don't have any Mageia 3 installs to test this on, but I think all will be well and if I get any reports I can address it accordingly. There were some grumbles the other day from users of MGA3 such that the frontend on MGA3 could not connect to the backend on MGA4 due to schema changes... all very nasty so would be nice to get these in sync.
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK advisory
A quick test mga3 32 before validating.. # etupdt Enabling Tainted Updates Testing # urpmi mythtv-backend mythtv-common mythtv-frontend mythtv-setup mythtv-themes-base perl-MythTV python-mythtv php-mythtv mythtv-plugin- -ya The following package has to be removed for others to be upgraded: libmyth0.26-0.26.0-20130328.1.mga3.tainted.i586 (due to conflicts with libmyth0.27-0.27.4-20141022.1.mga3.tainted.i586) (y/N) Is this conflict necessary Colin?
(In reply to claire robinson from comment #9) > # urpmi mythtv-backend mythtv-common mythtv-frontend mythtv-setup > mythtv-themes-base perl-MythTV python-mythtv php-mythtv mythtv-plugin- -ya > The following package has to be removed for others to be upgraded: > libmyth0.26-0.26.0-20130328.1.mga3.tainted.i586 > (due to conflicts with libmyth0.27-0.27.4-20141022.1.mga3.tainted.i586) > (y/N) > > > Is this conflict necessary Colin? Yeah, sadly so. MythTV bundles a whole bunch of different libraries all with different majors etc. Some get updated, some don't when updating major MythTV versions. Now they *should* (according to your library policy) all be nicely split out into separate packages, but I don't want to have the older build of a bundled library meant for MythTV n-1 satisfy deps for MythTV n. Even although the newer one would have a higher version and be thus selected during an auto-select, I took the lazy approach a long time ago and just bundled them all together. Looking now I could potentially split them out a bit (lots have a 0.27 major and could thus stay together but libmythswscale, libmythresample, libmythqjson, libmythpostproc, libmythavformat, libmythavutil, libmythavfilter, libmythavdevice and libmythavcodec would all have to be separated out. Personally, for this rather specific bit of software, I think it's OK to break the rules a bit for the sake not allowing older library packages to remain installed - nothing should be linked to those old libraries anyway as they are internal to MythTV really. So yeah, certainly for now at least, it's a needed conflict! Hope that answers the question :)
Ideally updates shouldn't cause warnings like this. It's more an issue with the warning than removing the old lib. IINM it should also obsolete the older lib Colin to prevent it. I could easily be mistaken though..
Yeah, in this case it probably could obsolete it too, but if it's all the same to you, I'll just leave it like this for now. It's the same as it's been for the last five years and I'd have to rebuild and resubmit to lots of places! I'll fix it in cauldron going forward when the next version bump comes along so I can test it properly.
Validating then Colin, thanks. Could sysadmin :) please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK advisory => MGA3TOO mga3-32-ok MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0435.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/618456/