Fedora has issued an advisory on March 26:
The RedHat bug says that the issue is fixed in 0.85.3:
I don't see a release announcement upstream yet.
Fedora added this patch from the 0.84 branch in Fedora 21:
Mageia 4 and Mageia 5 are affected.
Steps to Reproduce:
Here's the Fedora advisory for the Fedora 21 update:
cauldron is fixed.
I will look for mga4
fixed package is in mga4 core/updates_testing
Patched packages uploaded for Mageia 4 and Cauldron. Thanks Nicolas!
They did finally post a release announcement for 0.85.3 upstream:
Updated glpi package fixes security vulnerability:
Any user who has the rights to create a new user can create a super-admin
Updated packages in core/updates_testing:
MGA5TOO, MGA4TOO =>
Testing complete mga4 32
Just ensuring it updates cleanly during mga5 final release cycle.
(In reply to claire robinson from comment #6)
> Testing complete mga4 32
> Just ensuring it updates cleanly during mga5 final release cycle.
Package update cleanly on MGA4-64-OK on a VBox x86-64 VM.
Validating. Advisory uploaded.
Please push to 4 updates
mga4-32-ok mga4-64-ok =>
advisory mga4-32-ok mga4-64-okCC:
An update for this issue has been pushed to Mageia Updates repository.