Description of problem: KDE has issued an advisory for a security issue (CVE-2014-8651): https://www.kde.org/info/security/advisory-20141106-1.txt http://openwall.com/lists/oss-security/2014/11/04/9 http://lwn.net/Vulnerabilities/619817/ This security vulnerability in the KDE workspace configuration module for setting the date and time is fixed upstream in kde-workspace 4.11.14. I've just pushed kdebase4-workspace 4.11.14 packages in cauldron, and in mga4 core/updates_testing. (We have fixed this vulnerability in mga3 in bug 14487, by backporting upstream patch from KDE/4.11) src.rpm: kdebase4-workspace-4.11.14-1.mga4.src.rpm packages for i586: kdebase4-workspace-4.11.14-1.mga4.i586.rpm kdebase4-workspace-devel-4.11.14-1.mga4.i586.rpm kdebase4-workspace-handbooks-4.11.14-1.mga4.noarch.rpm kdebase4-workspace-plasma-config-4.11.14-1.mga4.noarch.rpm kdm-4.11.14-1.mga4.i586.rpm kdm-handbook-4.11.14-1.mga4.noarch.rpm kinfocenter-4.11.14-1.mga4.i586.rpm kinfocenter-handbook-4.11.14-1.mga4.noarch.rpm krandr-4.11.14-1.mga4.i586.rpm libkdecorations4-4.11.14-1.mga4.i586.rpm libkephal4-4.11.14-1.mga4.i586.rpm libkfontinst4-4.11.14-1.mga4.i586.rpm libkfontinstui4-4.11.14-1.mga4.i586.rpm libkhotkeysprivate4-4.11.14-1.mga4.i586.rpm libkscreensaver5-4.11.14-1.mga4.i586.rpm libksgrd4-4.11.14-1.mga4.i586.rpm libksignalplotter4-4.11.14-1.mga4.i586.rpm libkwineffects1-4.11.14-1.mga4.i586.rpm libkwinglesutils1-4.11.14-1.mga4.i586.rpm libkwinglutils1-4.11.14-1.mga4.i586.rpm libkworkspace4-4.11.14-1.mga4.i586.rpm liblsofui4-4.11.14-1.mga4.i586.rpm liboxygenstyle4-4.11.14-1.mga4.i586.rpm liboxygenstyleconfig4-4.11.14-1.mga4.i586.rpm libplasma_applet_system_monitor4-4.11.14-1.mga4.i586.rpm libplasmaclock4-4.11.14-1.mga4.i586.rpm libplasmagenericshell4-4.11.14-1.mga4.i586.rpm libplasma-geolocation-interface4-4.11.14-1.mga4.i586.rpm libpowerdevilconfigcommonprivate4-4.11.14-1.mga4.i586.rpm libpowerdevilcore0-4.11.14-1.mga4.i586.rpm libpowerdevilui4-4.11.14-1.mga4.i586.rpm libprocesscore4-4.11.14-1.mga4.i586.rpm libprocessui4-4.11.14-1.mga4.i586.rpm libsystemsettingsview2-4.11.14-1.mga4.i586.rpm libtaskmanager4-4.11.14-1.mga4.i586.rpm libweather_ion6-4.11.14-1.mga4.i586.rpm plasma-applet-battery-4.11.14-1.mga4.i586.rpm plasma-applet-calendar-4.11.14-1.mga4.i586.rpm plasma-applet-quicklaunch-4.11.14-1.mga4.i586.rpm plasma-applet-system-monitor-cpu-4.11.14-1.mga4.i586.rpm plasma-applet-system-monitor-hdd-4.11.14-1.mga4.i586.rpm plasma-applet-system-monitor-hwinfo-4.11.14-1.mga4.i586.rpm plasma-applet-system-monitor-net-4.11.14-1.mga4.i586.rpm plasma-applet-system-monitor-temperature-4.11.14-1.mga4.i586.rpm plasma-applet-webbrowser-4.11.14-1.mga4.i586.rpm plasma-krunner-nepomuk-4.11.14-1.mga4.i586.rpm plasma-krunner-powerdevil-4.11.14-1.mga4.i586.rpm plasma-runner-places-4.11.14-1.mga4.i586.rpm plasma-scriptengine-python-4.11.14-1.mga4.i586.rpm plasma-scriptengine-ruby-4.11.14-1.mga4.noarch.rpm packages for x86_64: kdebase4-workspace-4.11.14-1.mga4.x86_64.rpm kdebase4-workspace-devel-4.11.14-1.mga4.x86_64.rpm kdebase4-workspace-handbooks-4.11.14-1.mga4.noarch.rpm kdebase4-workspace-plasma-config-4.11.14-1.mga4.noarch.rpm kdm-4.11.14-1.mga4.x86_64.rpm kdm-handbook-4.11.14-1.mga4.noarch.rpm kinfocenter-4.11.14-1.mga4.x86_64.rpm kinfocenter-handbook-4.11.14-1.mga4.noarch.rpm krandr-4.11.14-1.mga4.x86_64.rpm lib64kdecorations4-4.11.14-1.mga4.x86_64.rpm lib64kephal4-4.11.14-1.mga4.x86_64.rpm lib64kfontinst4-4.11.14-1.mga4.x86_64.rpm lib64kfontinstui4-4.11.14-1.mga4.x86_64.rpm lib64khotkeysprivate4-4.11.14-1.mga4.x86_64.rpm lib64kscreensaver5-4.11.14-1.mga4.x86_64.rpm lib64ksgrd4-4.11.14-1.mga4.x86_64.rpm lib64ksignalplotter4-4.11.14-1.mga4.x86_64.rpm lib64kwineffects1-4.11.14-1.mga4.x86_64.rpm lib64kwinglesutils1-4.11.14-1.mga4.x86_64.rpm lib64kwinglutils1-4.11.14-1.mga4.x86_64.rpm lib64kworkspace4-4.11.14-1.mga4.x86_64.rpm lib64lsofui4-4.11.14-1.mga4.x86_64.rpm lib64oxygenstyle4-4.11.14-1.mga4.x86_64.rpm lib64oxygenstyleconfig4-4.11.14-1.mga4.x86_64.rpm lib64plasma_applet_system_monitor4-4.11.14-1.mga4.x86_64.rpm lib64plasmaclock4-4.11.14-1.mga4.x86_64.rpm lib64plasmagenericshell4-4.11.14-1.mga4.x86_64.rpm lib64plasma-geolocation-interface4-4.11.14-1.mga4.x86_64.rpm lib64powerdevilconfigcommonprivate4-4.11.14-1.mga4.x86_64.rpm lib64powerdevilcore0-4.11.14-1.mga4.x86_64.rpm lib64powerdevilui4-4.11.14-1.mga4.x86_64.rpm lib64processcore4-4.11.14-1.mga4.x86_64.rpm lib64processui4-4.11.14-1.mga4.x86_64.rpm lib64systemsettingsview2-4.11.14-1.mga4.x86_64.rpm lib64taskmanager4-4.11.14-1.mga4.x86_64.rpm lib64weather_ion6-4.11.14-1.mga4.x86_64.rpm plasma-applet-battery-4.11.14-1.mga4.x86_64.rpm plasma-applet-calendar-4.11.14-1.mga4.x86_64.rpm plasma-applet-quicklaunch-4.11.14-1.mga4.x86_64.rpm plasma-applet-system-monitor-cpu-4.11.14-1.mga4.x86_64.rpm plasma-applet-system-monitor-hdd-4.11.14-1.mga4.x86_64.rpm plasma-applet-system-monitor-hwinfo-4.11.14-1.mga4.x86_64.rpm plasma-applet-system-monitor-net-4.11.14-1.mga4.x86_64.rpm plasma-applet-system-monitor-temperature-4.11.14-1.mga4.x86_64.rpm plasma-applet-webbrowser-4.11.14-1.mga4.x86_64.rpm plasma-krunner-nepomuk-4.11.14-1.mga4.x86_64.rpm plasma-krunner-powerdevil-4.11.14-1.mga4.x86_64.rpm plasma-runner-places-4.11.14-1.mga4.x86_64.rpm plasma-scriptengine-python-4.11.14-1.mga4.x86_64.rpm plasma-scriptengine-ruby-4.11.14-1.mga4.noarch.rpm Reproducible: Steps to Reproduce:
Suggested advisory: Updated kdebase4-workspace packages fix security vulnerability and various bugs This update fixes a security vulnerability in the KDE workspace configuration module for setting the date and time - CVE-2014-8651 - (mga#14578), and fixes some additional issues: - fix foreground color for GTK2 menus (bko#127861), - improve contrast for rendering checkbox marks, arrows, etc (bko#337433), - fix icons size in kmenuedit (bko#338883). References: https://bugs.mageia.org/show_bug.cgi?id=14578 https://www.kde.org/info/security/advisory-20141106-1.txt https://bugs.kde.org/show_bug.cgi?id=127861 https://bugs.kde.org/show_bug.cgi?id=337433 https://bugs.kde.org/show_bug.cgi?id=338883
Assignee: bugsquad => qa-bugs
Tested Mageia 4 i586. Desktop still works OK. Couldn't reproduce the CVE, but no noticeable changes in kcmshell4 clock. Gtk+2 menus look fine in chbg. kmenuedit looks fine.
Whiteboard: (none) => MGA4-32-OK
Tested mga4_64, real hardware Testing complete for the new kdebase4-workspace-4.11.14-1.mga4 update, Ok for me. All seems to work properly here and nothing to report.
CC: (none) => geiger.david68210
Thanks David. Validating now. Advisory in Comment 1, package list in Comment 0. Could someone please upload the advisory? Sysadmins, once the advisory is uploaded, please push to core/updates_testing. Thanks.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
Just a little question. Why this KDE package are in version 4.11.14 while other are in version 4.12.5?
CC: (none) => olivier.delaune
It's frozen upstream, so it stays as a 4.11.x version.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0480.html
Status: NEW => RESOLVEDResolution: (none) => FIXED