Fedora has issued advisories on April 21: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156647.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156646.html It's unknown which versions are affected. Reproducible: Steps to Reproduce:
flightgear-3.4.0-2.mga5 and flightgear-data-3.4.0-2.mga5 uploaded for Cauldron. Debian believes older version to be vulnerable: https://security-tracker.debian.org/tracker/TEMP-0780712-D0DD02
Version: Cauldron => 4
CC: (none) => lists.jjorge
Fedora did not bother patching FlightGear 2.12.0 in Fedora 20: http://pkgs.fedoraproject.org/cgit/FlightGear.git/log/FlightGear.spec?h=f20 I've had a look at how to patch our flightgear 2.12.1 in Mageia 4, but the involved code changed a lot in the 3.x branch, and I won't be able to make a patch that fixes the security issue without breaking the feature. The security issue does not seem very critical to me, so I'd be tempted to close this as WONTFIX. WDYT David?
I think as we have fgfs 3.x in backports which is working, the better idea would be to provide flightgear-3.4.0-1.mga4 as an update, with simgear and co. But sorry, no time for that this days (I'm on strike at work ;-).
Status: NEW => ASSIGNED
Yeah that's a possibility too.
Assignee: rverschelde => lists.jjorge
I'd be OK with not fixing this.
Closing as WONTFIX for now, the FlightGear version in Mageia 4 is now quite old and I'm not sure doing a late update to 3.4.0 would be good for users who play using the old version. It's still not fixed either in Fedora 20 nor Debian squeeze.
Status: ASSIGNED => RESOLVEDResolution: (none) => WONTFIX