Florian Weimer from RedHat pointed out that multiple security issues were fixed upstream in virtuoso-opensource in the last couple years: http://openwall.com/lists/oss-security/2015/05/05/12 These are all fixed in the newest release 7.2.0. It looks like we could fix these by updating to 6.1.8 and adding commits 4ae3693 and 58568be. Reproducible: Steps to Reproduce:
CC: (none) => lmenutBlocks: (none) => 14674Whiteboard: (none) => MGA5TOO, MGA4TOO
Hum, we should be careful with this update. Most of distrib still use virtuoso-opensource 6.1.6 because 6.1.7 has a regression which break things in KDE. I don't know if this was fixed in 6.1.8 or not. But Fedora and OpenSUSE still use virtuoso-opensource 6.1.6, and they don't have push security fix for now. https://mail.kde.org/pipermail/release-team/2013-August/007313.html -------- Message transféré -------- Sujet : Regression with Virtuoso 6.1.7 Date : Thu, 29 Aug 2013 20:33:28 +0530 De : Vishesh Handa <me@vhanda.in> Répondre à : KDE release coordination <release-team@kde.org> Pour : KDE release coordination <release-team@kde.org>, kde-packagers@kde.org Hey guys Please do not ship virtuoso 6.1.7 with KDE 4.11. It contains a regression which breaks ratings and maybe many more things. I'm in contact with the virtuoso team, and hopefully they will fix it soon. Fixing this from our end would require a big change in Soprano and many parts of Nepomuk. This is not something we want to do. @Release team: Do you think I should explicitly block 6.1.7 on a Nepomuk level? I would just need to revert 0e01d5b5 from nepomuk-core. -- Vishesh Handa
Yes, we know. I already knew about the regression in 6.1.7 and talked to Nicolas about this on IRC. This is why we didn't push this update at the time I filed this. We'll have to test it carefully.
Ping..
CC: (none) => mageia
Sounds like 6.1.8 should be safe: https://mail.kde.org/pipermail/nepomuk/2013-December/004854.html 7.1.0 is not though, it drops supports for i586, but Frugalware had skipped 6.1.7 like everyone else, but did go back to 6.1.8 after trying 7.x: http://www4.frugalware.org/pub/linux/distributions/frugalware/frugalware-2.0/source/apps/virtuoso/Changelog I've checked the update into SVN for Mageia 4, Mageia 5, and Cauldron, but not pushed to the build system yet. I was going to try to run the nepomuk-core test suite like the upstream mailing list reference I posted said, but I can't figure out how to run it.
I figured out how to run the nepomuk-core test suite. Check out nepomuk-core from SVN: mgarepo co -d 4 nepomuk-core Build it locally: cd nepomuk-core bm -ls (as root) urpmi SRPMS/nepomuk-core-4.12.5-1.mga4.src.rpm bm -l Run test suite: cd BUILD/nepomuk-core-4.12.5 cd build/autotests; ctest -VV With virtuoso-opensource 6.1.6: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 417.31 sec With virtuoso-opensource 6.1.8: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 484.30 sec
Correction to the test procedure. Had to have virtuoso-opensource, nepomuk-core, and x11-server-xvfb installed. Run test suite: cd BUILD/nepomuk-core-4.12.5 cd build/autotests cd lib/tools source runNepomukTest.sh (this killed my shell) (new shell session) cd nepomuk-core/BUILD/nepomuk-core-4.12.5/build/autotests ctest -VV
Mageia 5, it's 4.14.3 instead of 4.12.5. With virtuoso-opensource 6.1.6: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 460.72 sec With virtuoso-opensource 6.1.8: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 471.97 sec
Just in case there's any concern over the times, I ran it again on mga4: 100% tests passed, 0 tests failed out of 10 Total Test time (real) = 431.43 sec Also, I don't know if the runNepomukTest.sh was needed, and I had also done source nepomuk-sandbox-begin.sh in that same directory, and don't know if that was needed. I guess I fiddled a bit, but I got it to run and have run several successful tests on Mageia 4 and Mageia 5 i586.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. I have run successful tests, see the previous comments for how. Advisory: ======================== Updated virtuoso-opensource packages fix security vulnerabilities: The virtuoso-opensource package has been updated to version 6.1.8 and two additional upstream patches from versions 7.1.0 and 7.2.0 with additional fixes for unspecified security issues have been added. References: http://openwall.com/lists/oss-security/2015/05/05/12 http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews2013 http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews ======================== Updated packages in core/updates_testing: ======================== virtuoso-opensource-6.1.8-1.mga4 virtuoso-opensource-applications-6.1.8-1.mga4 virtuoso-opensource-jars-6.1.8-1.mga4 virtuoso-opensource-6.1.8-1.mga5 virtuoso-opensource-applications-6.1.8-1.mga5 virtuoso-opensource-jars-6.1.8-1.mga5 from SRPMS: virtuoso-opensource-6.1.8-1.mga4.src.rpm virtuoso-opensource-6.1.8-1.mga5.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
Advisory committed to svn, and update validated. Someone from the sysadmin team please push 15853.adv to updats.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0269.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/650633/