Advisory: ========== This update of rpm fixes several security issues: http://rpm.org/wiki/Releases/4.12.0.2 All of those fixes were already backported in Mageia but for : - Fix out-of-bounds read on signature checking of malformed package (RhBug:1373107) List of generated packages: ============================= lib64rpm3-4.12.0.2-1.7.mga5.x86_64.rpm lib64rpmbuild3-4.12.0.2-1.7.mga5.x86_64.rpm lib64rpm-devel-4.12.0.2-1.7.mga5.x86_64.rpm lib64rpmsign3-4.12.0.2-1.7.mga5.x86_64.rpm python3-rpm-4.12.0.2-1.7.mga5.x86_64.rpm python-rpm-4.12.0.2-1.7.mga5.x86_64.rpm rpm-4.12.0.2-1.7.mga5.x86_64.rpm rpm-build-4.12.0.2-1.7.mga5.x86_64.rpm rpm-debuginfo-4.12.0.2-1.7.mga5.x86_64.rpm rpm-sign-4.12.0.2-1.7.mga5.x86_64.rpm (s/lib64/lib/ + s/x86_64/i586/ for i586)
Also, I've fixed & reenabled the testsuite like I did in Cauldron, so that we've some sanity checks.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => wilcal.int, sysadmin-bugs
Hi, please upload the advisory
CC: (none) => mageia
(In reply to Nicolas Lécureuil from comment #2) > please upload the advisory Starting to do so, I realise that there is not enough information here: - I take it that it should be a 'security' update. - What SRPM are we talking about? - The link in the advisory only shows 2 CVEs for 6 security fixes. "All of those fixes were already backported in Mageia but for : - Fix out-of-bounds read on signature checking of malformed package (RhBug:1373107)" Not sure what is meant here. Does this update fix *just* the 1373107 issue (the others already having been fixed), or what?
CC: (none) => lewyssmith
1) yes, this should be a security update 2) I don't understand. The SRPM is in the "Source RPM" field 3) yes, only the #1373107 fix is new. the other fixes were already included. We dropped the patches as they're now included in a new official security update.
CC: (none) => luigiwalser
I just added the advisory
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0366.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
For future reference, the "Source RPM" field in Bugzilla is not what Lewis was talking about. The "Source RPM" field in Bugzilla should be the old version, i.e. the version the bug is being reported against. The SRPM that goes in the advisory is the updated version. So, in the list of generated packages in Comment 0, you should also include the Source RPM file name when assigning a bug to QA.
Blocks: (none) => 26576
Blocks: (none) => 26581
Blocks: 26581 => (none)
Blocks: (none) => 26715
Blocks: 26715 => (none)