Fedora has issued an advisory on March 10: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152471.html Fedora added this patch to 3.3.2: http://pkgs.fedoraproject.org/cgit/qt-creator.git/plain/qt-creator_62a83f911365eab71e7260484517ef6c739d5192.patch?h=f21&id=527b3bba9cf7a4d4948f51a6e012c702888678f6 which should help for Mageia 5. Fedora added this patch for 3.2.2: http://pkgs.fedoraproject.org/cgit/qt-creator.git/plain/qt-creator_62a83f911365eab71e7260484517ef6c739d5192.patch?h=f20 which might help for Mageia 4, which has 3.0.0. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
CC: (none) => doktor5000
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated qt-creator packages fix security vulnerability: Qt Creator does not verify SSH host keys when using the built-in SSH client. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152471.html ======================== Updated packages in core/updates_testing: ======================== qt-creator-3.0.0-1.5.mga4 qt-creator-doc-3.0.0-1.5.mga4 from qt-creator-3.0.0-1.5.mga4.src.rpm
Version: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing complete mga4 64 The ssh seems only to be used when connecting devices. It's possible in the options. Tools > Options > Devices tab > Add > Generic Linux Device > Start Wizard Select Host Key authentication rather than Password, if you have it configured on the host. Testing the ssh is able connect but I don't want to alter ssh host keys so won't be directly testing the vulnerability. The device connection test is successful.
Whiteboard: (none) => has_procedure mga4-64-ok
validating. advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0137.html
Status: NEW => RESOLVEDResolution: (none) => FIXED