Fedora has issued an advisory on April 18: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157358.html They added two patches in this commit: http://pkgs.fedoraproject.org/cgit/realmd.git/commit/?h=f21&id=4151226054b058f7fbea8f35b70b117e3a3aa197 It's actually the second patch (ldap-validate-text.patch) that fixes the CVE, but the other patch is security-relevant as well. Here's the RedHat bug for that other issue: https://bugzilla.redhat.com/show_bug.cgi?id=1205751 Mageia 4 is likely also affected. We may have to update it from the much older version it has if backporting the patches proves to be difficult. Reproducible: Steps to Reproduce:
Patches checked into Cauldron SVN. Freeze push requested.
Whiteboard: (none) => MGA5TOO, MGA4TOO
realmd-0.15.2-2.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
> We may have to update it from the much older version it has if backporting the > patches proves to be difficult. seeing how old is our version i think it would be simpler to update
CC: (none) => mageia
It's certainly not patchable based on the patches used in F21. The code being patched isn't present in any recognizable form in 0.7 (version in Mageia 4). That may mean that it's not vulnerable. I'm not familiar enough with this package to know if the older version works as described for the two security issues. I'm also not sure if this package even works at all, given that it was written for Fedora/RedHat.
Ping..
Colin, I'm assigning it to you as cockpit seems to be the only package that requires it. If it doesn't get updated/patched I'll drop both packages :)
Assignee: bugsquad => mageia
Our cockpit package is really outdated too. Of course it's relatively young software so it's moving quickly upstream. Cockpit sounds neat, but I wonder if either of these packages really work since they'd need some adaptations for Mageia I'd think. I guess it's more likely that Colin's done what was needed for cockpit than anyone has for realmd. It would be nice to have a working realmd since it's supposed to simplify authentication setups that can be really complicated. Of course, I prefer to know what the tool is doing and what the actual needed configurations are :o)
realmd and cockpit moved to obsolete.
Hardware: i586 => AllVersion: 4 => 5
OK, I'll revive them when I get a moment or three to update them. Will also update MGA5 (as I said to David on Friday).
FWIW, Cockpit worked fine here when I last played with it. I was able to login remotely to systems in my office and manage/monitor services. Realmd seems easy enough to update (simple update of 0.16.0 worked fine here), but not sure about how well it works practically speaking - may indeed need some more work. I tried updating cockpit, but it requires pcp which itself is a massive package with further deps. Will likely not get around to it for a while so it can stay in obsolete. I'm happy to kill it on older versions too if you like. I suspect no-one is using it anyway.
We can't kill it on older versions :/ That's why I moved it to obsolete on cauldron, so it wouldn't land in mga6 too if we haven't fixed it. But we can hope that it doesn't have too many users. Or if it has then maybe some of them are ready to package pcp :P
Version: 5 => 4
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 6 (assuming nobody reintroduces it before then). Closing this as OLD.
Status: NEW => RESOLVEDResolution: (none) => OLD