Bug 14347 - Update MythTV to address Schedules Direct API issue and some Security Issues.
Summary: Update MythTV to address Schedules Direct API issue and some Security Issues.
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/618456/
Whiteboard: MGA3TOO mga3-32-ok MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-23 10:08 CEST by Colin Guthrie
Modified: 2014-10-29 18:18 CET (History)
2 users (show)

See Also:
Source RPM: mythtv
CVE:
Status comment:


Attachments

Description Colin Guthrie 2014-10-23 10:08:49 CEST
Advisory Text
=============

The versions of MythTV included in Mageia 3 and 4 are vulnerable to SSDP Reflection attacks.

This update includes a fix to prevent such use by disabling SSDP device discovery from non-local addresses.

Additionally, Schedules Direct users will now be able to make continued use of the service from 1st November when the current URL will be fully deprecated upstream.

Source RPMs:
 mythtv-0.27.4-20141022.1.mga3
 mythtv-0.27.4-20141022.1.mga3.tainted
 mythtv-mythweb-0.27.4-1.mga3
 mythtv-0.27.4-20141022.1.mga4
 mythtv-0.27.4-20141022.1.mga4.tainted
 mythtv-mythweb-0.27.4-1.mga4



 


Reproducible: 

Steps to Reproduce:
Colin Guthrie 2014-10-23 10:09:29 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Colin Guthrie 2014-10-23 10:14:34 CEST
Note to anyone testing, the mythtv-mythweb part of the update is purely cosmetic. It's not actually changed since 0.27.1 upstream.
Colin Guthrie 2014-10-23 10:18:52 CEST

Assignee: bugsquad => qa-bugs

Comment 2 Colin Guthrie 2014-10-23 12:02:21 CEST
RPMs

Mageia 3:

lib64myth0.27-0.27.4-20141022.1.mga3.x86_64.rpm
lib64myth-devel-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-backend-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-common-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-doc-0.27.4-20141022.1.mga3.noarch.rpm
mythtv-frontend-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-archive-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-browser-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-gallery-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-game-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-music-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-netvision-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-news-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-weather-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-plugin-zoneminder-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-setup-0.27.4-20141022.1.mga3.x86_64.rpm
mythtv-themes-base-0.27.4-20141022.1.mga3.noarch.rpm
perl-MythTV-0.27.4-20141022.1.mga3.x86_64.rpm
php-mythtv-0.27.4-20141022.1.mga3.noarch.rpm
python-mythtv-0.27.4-20141022.1.mga3.x86_64.rpm

mythtv-mythweb-0.27.4-1.mga3.noarch.rpm


Mageia 3 (Tainted):

lib64myth0.27-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
lib64myth-devel-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-backend-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-common-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-doc-0.27.4-20141022.1.mga3.tainted.noarch.rpm
mythtv-frontend-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-archive-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-browser-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-gallery-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-game-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-music-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-netvision-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-news-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-weather-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-plugin-zoneminder-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-setup-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
mythtv-themes-base-0.27.4-20141022.1.mga3.tainted.noarch.rpm
perl-MythTV-0.27.4-20141022.1.mga3.tainted.x86_64.rpm
php-mythtv-0.27.4-20141022.1.mga3.tainted.noarch.rpm
python-mythtv-0.27.4-20141022.1.mga3.tainted.x86_64.rpm


Mageia 4:

lib64myth0.27-0.27.4-20141022.1.mga4.x86_64.rpm
lib64myth-devel-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-backend-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-common-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-doc-0.27.4-20141022.1.mga4.noarch.rpm
mythtv-frontend-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-archive-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-browser-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-gallery-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-game-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-music-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-netvision-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-news-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-weather-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-plugin-zoneminder-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-setup-0.27.4-20141022.1.mga4.x86_64.rpm
mythtv-themes-base-0.27.4-20141022.1.mga4.noarch.rpm
perl-MythTV-0.27.4-20141022.1.mga4.x86_64.rpm
php-mythtv-0.27.4-20141022.1.mga4.noarch.rpm
python-mythtv-0.27.4-20141022.1.mga4.x86_64.rpm

mythtv-mythweb-0.27.4-1.mga4.noarch.rpm


Mageia 4 (Tainted):

lib64myth0.27-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
lib64myth-devel-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-backend-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-common-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-doc-0.27.4-20141022.1.mga4.tainted.noarch.rpm
mythtv-frontend-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-archive-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-browser-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-gallery-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-game-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-music-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-netvision-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-news-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-weather-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-plugin-zoneminder-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-setup-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
mythtv-themes-base-0.27.4-20141022.1.mga4.tainted.noarch.rpm
perl-MythTV-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
php-mythtv-0.27.4-20141022.1.mga4.tainted.noarch.rpm
python-mythtv-0.27.4-20141022.1.mga4.tainted.x86_64.rpm
Comment 3 Bit Twister 2014-10-23 16:27:30 CEST
Tested backend and frontend on a 64 bit KDE install for mageia 4 and Cauldron.

Enable testing media for my mga4 install.
It was taking forever to attempt to disable ~500 rpm packages to just test mythtv changes. Talked to $DEITY about it, aborted drakrpm-update. Ran
urpmi --auto --auto-update which installed 530 packages from Testing and tainted. Rebooted.

Test procedure:
To force new schedule location I added the following to /etc/hosts
54.85.117.227  docs.tms.tribune.com webservices.schedulesdirect.tmsdatadirect.com

Re-selected schedules direct in mythtv-setup.
Deleted all channels, re-scanned, list.
refilled schedule table with mythfilldatabase --dd-grab-all
Machine status showed only 13 days of schedules which is correct.
Original schedule source has 16 days of data.

PS: ran my desktop application regression test script which tested 394 desktop files. I tagged 7 failures. Majority already failed on Cauldron and I did create bug reports for them.

New kernel and fglrx driver works without problem.

CC: (none) => junknospam

Comment 4 Colin Guthrie 2014-10-23 16:34:22 CEST
Sounds like a good Uber test :)

Will test my own MythTV system tonight when I get home.
Comment 5 Colin Guthrie 2014-10-24 10:26:16 CEST
Tested tainted build on MGA4 but it fails with an error related to VPX library.

Seems the VPX lib is also in updates_testing repos, and thus we either need to rebuild mythtv without it, or include it in the same update.

Either way, I will need to submit a new build with appropriate deps :(

Does anyone know which update needs the libvpx version bump from 1.2 > 1.3?
Comment 6 Colin Guthrie 2014-10-24 10:27:51 CEST
FAO Bit Twister: When testing in older distros we generally recommend NOT taking all proposed updates from the update_testing repo. Some (as they are for testing) will never see the light of day and may be removed leaving your system with an unsupported package installed.

In this case we might have pushed mythtv without pushing libvpx too thus breaking things.
Comment 7 Bit Twister 2014-10-24 11:14:23 CEST
Thank you for for the reminder, but bug 14351 was keeping me from just selecting the myth packages and if it did not work by me just using urpmi I would not have known if it was me or a missing dependency. Now that bug 14353 has been cleared I can rsync /hotbu/ /mga4 and test just your update.

I really wanted to make sure I was not going to be broke on November 1.

Based on your Comment 5, I'll stick with a Testing "Production" environment.
I'll restore my mga4 test bed node to official and wait for your next update.
Comment 8 Colin Guthrie 2014-10-28 13:05:12 CET
OK, so the libvpx update is now pushed as part of the Thunderbird/Firefox update, so no need to rebuild anything :)

I've installed mythtv on my Mageia 4 install.

I don't have any Mageia 3 installs to test this on, but I think all will be well and if I get any reports I can address it accordingly.

There were some grumbles the other day from users of MGA3 such that the frontend on MGA3 could not connect to the backend on MGA4 due to schema changes... all very nasty so would be nice to get these in sync.
Colin Guthrie 2014-10-28 13:05:45 CET

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Colin Guthrie 2014-10-28 13:19:34 CET

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK advisory

Comment 9 claire robinson 2014-10-28 14:12:56 CET
A quick test mga3 32 before validating..

# etupdt
Enabling Tainted Updates Testing

# urpmi mythtv-backend mythtv-common mythtv-frontend mythtv-setup mythtv-themes-base perl-MythTV python-mythtv php-mythtv mythtv-plugin- -ya
The following package has to be removed for others to be upgraded:
libmyth0.26-0.26.0-20130328.1.mga3.tainted.i586
 (due to conflicts with libmyth0.27-0.27.4-20141022.1.mga3.tainted.i586) (y/N)


Is this conflict necessary Colin?
Comment 10 Colin Guthrie 2014-10-28 14:42:52 CET
(In reply to claire robinson from comment #9)
> # urpmi mythtv-backend mythtv-common mythtv-frontend mythtv-setup
> mythtv-themes-base perl-MythTV python-mythtv php-mythtv mythtv-plugin- -ya
> The following package has to be removed for others to be upgraded:
> libmyth0.26-0.26.0-20130328.1.mga3.tainted.i586
>  (due to conflicts with libmyth0.27-0.27.4-20141022.1.mga3.tainted.i586)
> (y/N)
> 
> 
> Is this conflict necessary Colin?

Yeah, sadly so.

MythTV bundles a whole bunch of different libraries all with different majors etc. Some get updated, some don't when updating major MythTV versions. Now they *should* (according to your library policy) all be nicely split out into separate packages, but I don't want to have the older build of a bundled library meant for MythTV n-1 satisfy deps for MythTV n. Even although the newer one would have a higher version and be thus selected during an auto-select, I took the lazy approach a long time ago and just bundled them all together.

Looking now I could potentially split them out a bit (lots have a 0.27 major and could thus stay together but libmythswscale, libmythresample, libmythqjson, libmythpostproc, libmythavformat, libmythavutil, libmythavfilter, libmythavdevice and libmythavcodec would all have to be separated out.

Personally, for this rather specific bit of software, I think it's OK to break the rules a bit for the sake not allowing older library packages to remain installed - nothing should be linked to those old libraries anyway as they are internal to MythTV really.

So yeah, certainly for now at least, it's a needed conflict!

Hope that answers the question :)
Comment 11 claire robinson 2014-10-28 15:38:43 CET
Ideally updates shouldn't cause warnings like this. It's more an issue with the warning than removing the old lib. IINM it should also obsolete the older lib Colin to prevent it. I could easily be mistaken though..
Comment 12 Colin Guthrie 2014-10-28 16:06:36 CET
Yeah, in this case it probably could obsolete it too, but if it's all the same to you, I'll just leave it like this for now. It's the same as it's been for the last five years and I'd have to rebuild and resubmit to lots of places! I'll fix it in cauldron going forward when the next version bump comes along so I can test it properly.
Comment 13 claire robinson 2014-10-28 16:50:56 CET
Validating then Colin, thanks.

Could sysadmin :) please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK advisory => MGA3TOO mga3-32-ok MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2014-10-29 12:31:26 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0435.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-29 18:18:19 CET

URL: (none) => http://lwn.net/Vulnerabilities/618456/


Note You need to log in before you can comment on or make changes to this bug.