CVEs were requested for security issues fixed in radicale 1.1: http://openwall.com/lists/oss-security/2016/01/05/7 I'm not sure if Mageia 5 is affected. Reproducible: Steps to Reproduce:
CVE-2015-8747 and CVE-2015-8748 assigned for a couple of the issues: http://openwall.com/lists/oss-security/2016/01/06/4 More assignments may come later. It's not clear yet what issues may affect 0.7.1 in Mageia 5, but I'd guess that at least some of them do. radicale-1.1.mga6 has been uploaded for Cauldron by Jani, so that's fixed now.
Version: Cauldron => 5Summary: radicale new security issues fixed upstream in 1.1 => radicale new security issues fixed upstream in 1.1 (CVE-2015-874[78])Source RPM: radicale-1.0.1-2.mga6.src.rpm => radicale-0.7.1-8.mga5.src.rpm
FYI, there's a 1.1.1 bugfix release out now too, which Fedora just updated to. Fedora has issued an advisory for this on January 19: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html Debian and Ubuntu's vulnerability pages indicate that they believe older versions are vulnerable, so Mageia 5 would need an update for this.
URL: (none) => http://lwn.net/Vulnerabilities/672564/Severity: normal => critical
Debian-LTS has issued an advisory for this on January 26: http://lwn.net/Alerts/673750/ If you'd prefer to patch this, their patches may be helpful.
Updated package uploaded by Jani. Advisory: ======================== Updated radicale package fixes security vulnerabilities: The radicale package has been updated to version 1.1.1, which fixes several security issues, including issues with path sanitation (CVE-2015-8747) and regex injection in rights management (CVE-2015-8748). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8747 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8748 http://radicale.org/news/ https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html ======================== Updated packages in core/updates_testing: ======================== radicale-1.1.1-1.mga5 from radicale-1.1.1-1.mga5
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Revised advisory. Advisory: ======================== Updated radicale package fixes security vulnerabilities: If an attacker is able to authenticate with a user name like `.*', he can bypass read/write limitations imposed by regex-based rules, including the built-in rules `owner_write' (read for everybody, write for the calendar owner) and `owner_only' (read and write for the the calendar owner) (CVE-2015-8748). The radicale package has been updated to version 1.1.1, fixing this issue and several other security issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8748 http://radicale.org/news/ https://www.debian.org/security/2016/dsa-3462
In VirtualBox, M5, KDE, 32-bit Package(s) under test: radicale default install of radicale [root@localhost wilcal]# urpmi radicale Package radicale-0.7.1-8.mga5.noarch is already installed MCC -> System -> Manage system services -> radicale -> running I can't seem to get this thing to do something. Tried: http://localhost:5232/~wilcal/calendar.ics/ And that wants to open "VCS/ICS" with KWrite. [wilcal@localhost ~]$ radicale IOError: [Errno 13] Permission denied: '/var/log/radicale/radicale.log' Tried a bunch of stuff in: http://radicale.org/user_documentation/#idstarting-the-client no calendar. Any ideas?
CC: (none) => wilcal.int
Updated package from Jani is now: radicale-1.1.1-1.1.mga5 from radicale-1.1.1-1.1.mga5.src.rpm changelog is: - fix conf file permissions - update list of recommended python packages
I don't have mga5 machine available right now, but at least radicale works in Cauldron after I fixed config file permissions. Tested with my Android smart phone and CalDav Sync Adapter. I'll try to test with mga5 also.
Trying M5 x64 This page: http://radicale.org/user_documentation/#idstarting-the-client has good looking information about configuring Evolution & KOrganiser (now Kontact) for both Calendars & Contacts. It is pretty accurate. BEFORE update: radicale-0.7.1-8.mga5 Evolution/Calendar: Followed the instructions. Used URL http://localhost:5232/lewis/Rcalendar.ics/ (lewis is the login name; it may matter). But after the final 'OK' - no sign of the new calendar, just the default one. Nor after re-starting Evolution. Evolution/Contacts: Following the instructions, in the Contacts panel, File-New- shows both Contact List and Address Book; chose the latter, then it becomes confusing. The dialogue has Name [assume of the address book]; both 'user' and 'addressbook.vcf' in the URL; and a final User. What do they mean by "the correct username"? I guessed 'lewis' (N.B. my login name - this may matter) both in the URL[user] & as User; and Raddressbook as the Name and in URL[addressbook.vcf]. Hence URL = http://localhost:5232/lewis/Raddressbook.vcf/ Clicking OK does at least show the new address book. However... Clicking on it throws up a dialogue "Address book authentification request Please enter the password for address book .... (host: localhost)" showing User Name lewis + a password field. What is this about? OK, gave my login password - that works! And so does the address book. Kontact [NOT KOrganiser]/Calendar Follow the instructions with great attention. Again I used my login 'user' name & password whenever such things were asked for; KDE adds a couple of its own dialogues to those described. I used URL http://localhost:5232/lewis/Calendar.ics/ And at the end, after re-starting Kontact - Lo! there it is. Kontact/Contacts, to follow.
CC: (none) => lewyssmith
Trying x64 pre-update (continued) Kontact/Contacts Following carefully the instructions for KOrganiser in: http://radicale.org/user_documentation/#idstarting-the-client Note that even though adding an address book, you follow the 'Calendars' path except for only steps 10 (choose CardDav) & 11: URL = http://localhost:5232/lewis/Raddressbook.vcf/ I used again my login name [lewis] for USER and the login password wherever one was asked for; and Raddressbook for its Name & in the URL. The address book appeared straight away (as had the calendar in Comment 9), but I re-started Kontact as prescribed. However, I was unable to add a contact to it. Perhaps I was doing something wrong, because I could not do so for the standard Personal Contacts either. I once got a dialogue about 'enabling' the resource in the side panel', but did not see any means to do so. In the same vein, I could not get the Calendar to work - neither the given Personal one, nor the Radicale one. I am sure all this was easy 15y ago... But there is enough here to try the update [to follow].
Testing M5 x64, radicale-1.1.1-1.1.mga5 When selecting the radicale update, it insisted on adding 8 Python3 updates as well. Is this to be expected? POST UPDATE Evolution: no behavioural change noted. But in the process of trying the Calendar facility (not tried previously) with just the default calendar shown in the LH pane, along the way it offers the choice of Calendar to add to. This list *included both pre-update Radicale calendars* I had added apparently in vain. So they were always there, but invisible. Radicale Contacts/addressbook worked OK. It is worth noting the Evolution itself is in a mess, which it admits when first invoking it; recommending the previous stable version. Kontact: no behavioural change noted. The Radicale calendar is still visible alongside the standard one, but I could still not make either work properly. For contacts, still unable to successfully add them to either the standard or Radicale address books. I am happy to OK this update once the Python issue is clarified.
(In reply to Lewis Smith from comment #11) > Testing M5 x64, radicale-1.1.1-1.1.mga5 > > When selecting the radicale update, it insisted on adding 8 Python3 updates > as well. > Is this to be expected? > It's expected if one installs without --no-recommends. Some features of radicale needs some extra pkgs. By default those features aren't in use and radicale should work OK without recommended pkgs also.
Tested radicale with mga5 x86_64 and evolution-3.13.90-1.1. 1. Added calendar (hxxp://localhost:5232/wally/kalenteri.ics/) with radicale-0.7.1-8 from core media and created some events. 2. Updated to radicale-1.1.1-1.1 from core/updates_testing and successfully created new events and modified existing ones. 3. Added new contact book (hxxp://localhost:5232/wally/yhteystiedot.vcf/) and successfully created new contacts.
Whiteboard: (none) => MGA5-64-OK
Validating. Advisory from comment 5 uploaded. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0057.html
Status: NEW => RESOLVEDResolution: (none) => FIXED