A CVE was requested for an issue fixed upstream in cups-filters on December 13: http://openwall.com/lists/oss-security/2015/12/13/2 I've added the patch in Cauldron. Locally I've added the ";" to the CVE-2015-8327 patch for Mageia 5, but waiting for a CVE assignment before committing it. Reproducible: Steps to Reproduce:
This has been assigned CVE-2015-8560: http://openwall.com/lists/oss-security/2015/12/14/13 Patched package uploaded for Mageia 5. This was already fixed in Cauldron. Advisory: ======================== Updated cups-filters package fixes security vulnerability: Adam Chester discovered that missing input sanitising in the foomatic-rip print filter might result in the execution of arbitrary commands (CVE-2015-8327). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560 http://openwall.com/lists/oss-security/2015/12/14/13 ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.0.71-1.2.mga5 libcups-filters1-1.0.71-1.2.mga5 libcups-filters-devel-1.0.71-1.2.mga5 from cups-filters-1.0.71-1.2.mga5.src.rpm
Assignee: bugsquad => qa-bugsSummary: cups-filters new security issue similar to CVE-2015-8327 => cups-filters new security issue CVE-2015-8560
On mga5-64 Installed packages from testing: lib64cups-filters1-1.0.71-1.2.mga5 cups-filters-1.0.71-1.2.mga5 Packages installed cleanly. Printer continues to function normally. OK for mga5-64
Whiteboard: (none) => MGA5-64-OK
Debian has issued an advisory for this on December 15: https://www.debian.org/security/2015/dsa-3419
Testing complete mga5 32, same as comment 2 Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => has_procedue advisory mga5-32-ok MGA5-64-OKCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/668128/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0476.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Hmm, I had the right CVE in the references and bug title, but the wrong one in the advisory text and the advisory committed to SVN had the wrong CVE. I fixed the advisory in SVN :o(