Fedora has issued an advisory on December 1: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145767.html The security issue is actually in jQuery UI, which apparently is bundled by couchdb and several other packages, according to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1166041 Some other packages that we have that are in RedHat's list are: dokuwiki, fish, yelp-xsl, mediawiki, python-sphinx, calibre, python-werkzeug, python-django14, python-django, wordpress, hotot, sagemath, sparkleshare, wesnoth, libgda, openteacher, ikiwiki, perl-Mojolicious, zabbix, drupal, spyder http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312 Thomas was the last one working on this package, and it doesn't build now. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/626058/
CC: (none) => shlomif
David Walser, hi! What am I supposed to do? Which packages should I update?
(In reply to Shlomi Fish from comment #1) > David Walser, hi! What am I supposed to do? Which packages should I update? couchdb in Mageia 4. I've already added the patch in SVN, but the package doesn't build. That needs to be fixed.
(In reply to David Walser from comment #2) > (In reply to Shlomi Fish from comment #1) > > David Walser, hi! What am I supposed to do? Which packages should I update? > > couchdb in Mageia 4. I've already added the patch in SVN, but the package > doesn't build. That needs to be fixed. Hi, I fixed the build problems (by porting fixes from Cauldron) in couchdb-1.4.0-2.5mga4 in http://pkgsubmit.mageia.org/ . Please test. Regards, -- Shlomi Fish
Thanks Shlomi! Advisory: ======================== Updated couchdb packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option (CVE-2010-5312). The embedded copy of jQuery UI in couchdb has been updated to version 1.10.4 to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145767.html ======================== Updated package in core/updates_testing: ======================== couchdb-1.4.0-2.5.mga4 couchdb-bin-1.4.0-2.5.mga4 from couchdb-1.4.0-2.5.mga4.src.rpm
Assignee: tmb => qa-bugs
(In reply to David Walser from comment #0) > Some other packages that we have that are in RedHat's list are: > dokuwiki, fish, yelp-xsl, mediawiki, python-sphinx, calibre, > python-werkzeug, python-django14, python-django, wordpress, hotot, sagemath, > sparkleshare, wesnoth, libgda, openteacher, ikiwiki, perl-Mojolicious, > zabbix, drupal, spyder RedHat/Fedora have ruled out mediawiki, fish, python-django14, python-django, python-werkzeug, zabbix, spyder, and perl-Mojolicious as being affected. Wordpress version 4 is not, but 3.9 may still be. The hotot package is not fixable and has been retired because it is dead upstream. We do not have sagemath packaged. dokuwiki, fish, yelp-xsl, python-sphinx, calibre, sparkleshare, wesnoth, libgda, openteacher, ikiwiki, drupal, and spyder have not been ruled out yet.
MGA4-64 on HP Probook 6555b KDE and MGA4-32 on Acer D620 Xfce. No installation issues.
Whiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => herman.viaene
It's actually pretty easy to functionally test this one. http://wiki.apache.org/couchdb/CouchIn15Minutes
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK
Ran "Hello World" example on both MGA4-64 and MGA-32.
Thanks Herman. Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0559.html
Status: NEW => RESOLVEDResolution: (none) => FIXED