Debian has issued an advisory on November 3: https://www.debian.org/security/2015/dsa-3391 The Debian bug has a link to the upstream commit that's supposed to contain the fix: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803641 Reproducible: Steps to Reproduce:
Version 5.2.8 is the latest stable Horde
Status: NEW => ASSIGNEDSummary: php-pear-Horde new security issue fixed upstream in 5.2.11 => php-pear-Horde new security issue fixed upstream in 5.2.8
This bug has been resolved in mga5 and committed in cauldron. I will submit the build after php has been stabilized and php-pear has been updated. The following packages are now in updates_testing: php-pear-Horde-5.2.8-1.mga5.src.rpm php-pear-Horde-5.2.8-1.mga5.noarch.rpm
CC: (none) => thomasAssignee: thomas => qa-bugsWhiteboard: (none) => CAULDRON TOO
Thomas, php-pear-Horde still needs to be updated in Cauldron. Are we sure that 5.2.8 has this commit? https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae
Whiteboard: CAULDRON TOO => (none)
Oh, sorry I see that you already mentioned Cauldron. The upstream advisory is confusing because of the different version numbers (I guess between the different components): https://www.htbridge.com/advisory/HTB23272
Fedora advisory confirming php-horde 5.2.8 is the right fix: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170692.html from http://lwn.net/Vulnerabilities/663319/
URL: http://lwn.net/Vulnerabilities/663067/ => http://lwn.net/Vulnerabilities/663319/
Looking at this to discover what *is* php-pear-Horde, I am mystified by the description of it in Add/Remove Software (for version 5.1.4-8): "This is now just an empty package that removes and obsoletes all php-pear-horde packages. They (php-pear-horde packages) can be installed individually by the user, using pear-install." Some clarification, please.
CC: (none) => lewyssmith
yes, you are correct. We probably need to obsolete it in cauldron. I already obsoleted all php-pear-horde packages earlier. If you read on, the installation of the pear packages related to horde is problematic and in many cases breaks the installation. pear-install had all the good intention, but there was a reason why Fedora packaged them. Also, the pear folks didn't provide a lot of help making the rpm with correct deps. They wanted everybody to use pear-install. So I would release this package to be safe as Fedora did.I don't think anybody is still using it.
Thanks Thomas. Testing Mag5 x64 Just to see that the update happens without incident. But the pre-update installation did not! # rpm -qa | grep php-pear-Horde # [i.e. Not installed] # urpmi php-pear-Horde $MIRRORLIST: media/core/release/php-pear-Horde-5.1.4-8.mga5.noarch.rpm gosod php-pear-Horde-5.1.4-8.mga5.noarch.rpm o /var/cache/urpmi/rpms Paratoi... ############################################# 1/1: php-pear-Horde ############################################# install failed warning: %post(php-pear-Horde-5.1.4-8.mga5.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for php-pear-Horde-5.1.4-8.mga5 # rpm -qa | grep php-pear-Horde php-pear-Horde-5.1.4-8.mga5 So, despite the warnings and 'failure', it seems to have been installed. UPDATED from Update Testing repos, using MCC/System Update. No visible problem. # rpm -qa | grep php-pear-Horde php-pear-Horde-5.2.8-1.mga5 -------------------------------- As a cross-check, I tried un-installing it then re-installing directly from Updates Testing. Hmm... [tynnu = removing, pecyn = packet] # urpme php-pear-Horde tynnu php-pear-Horde-5.2.8-1.mga5.noarch tynnu pecyn php-pear-Horde-5.2.8-1.mga5.noarch. 1/1: tynnu php-pear-Horde-5.2.8-1.mga5.noarch ############################################# horde/horde not installed [?] # urpmi php-pear-Horde $MIRRORLIST: media/core/updates_testing/php-pear-Horde-5.2.8-1.mga5.noarch.rpm gosod php-pear-Horde-5.2.8-1.mga5.noarch.rpm o /var/cache/urpmi/rpms Paratoi... ############################################# 1/1: php-pear-Horde ############################################# install failed warning: %post(php-pear-Horde-5.2.8-1.mga5.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for php-pear-Horde-5.2.8-1.mga5 # rpm -qa | grep php-pear-Horde php-pear-Horde-5.2.8-1.mga5 So it throws the same installation error as previously, but seems to get installed. On the basis of "So I would release this package to be safe", I give it an OK which can be removed if any of the strange things I note matter.
Whiteboard: (none) => MGA5-64-OK
Thomas, any idea what is causing the %post failure?
yes, because it's an empty package. BTW, Fedora retired it early this year.
It sounds like the %post could maybe be removed then?
I guess, it could. Actually, I wonder if we just should close this bug as invalid. The old version didn't have any files either.
(In reply to Thomas Spuhler from comment #12) > I guess, it could. > Actually, I wonder if we just should close this bug as invalid. The old > version didn't have any files either. Yeah, if this update doesn't actually "fix" anything since it's a fake package, it should be INVALID.
Done. I just obsoleted it in cauldron (task-obsolete) Sorry, I didn't remember this and made qa folks working on it.
Status: ASSIGNED => RESOLVEDResolution: (none) => INVALID
No problem. We have improved Mageia quality :)