Fedora has issued an advisory on May 19:
The security bug fixed in that update is this one:
Mageia 5 may also be affected.
Patch to fix it:
Mageia 5 is affected.
3.2.1 in Cauldron already has the fix.
Updated cinnamon-settings-daemon packages fix security vulnerability:
It was found that csd-datetime-setting SetDate DBUS function does not check the
polkit authorization for the caller, Unlike SetTime.
Updated packages in core/updates_testing:
$ uname -a
Linux localhost.localdomain 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux
The following 4 packages are going to be installed:
1.4MB of additional disk space will be used.
1.3MB of packages will be retrieved.
Is it ok to continue?
Clicked on date/time on menu as well as going into mageia center. This entity uses internet protocol and everything functioned as designed.
Testing MGA5 64-bit
Updated the package to: cinnamon-settings-daemon-2.4.3-2.1.mga5
Have also a host of libdbus pkgs; are they relevant?
Using Cinnamon desktop, tried the date/time application from both the systray icon (clicking the time, then 'configure date/time' button) and menu-Tools-Date/Time. Then clicking the 'unlock' button of the display popped up a dialogue for root password. I thought this is what was meant (now) to happen.
OTOH if this is not a valid test, please can somebody advise how to do better. My system does *not* get its time from the Internet, just the hardware clock.
OKing for 64-bit. Validating, advisory uploaded.
An update for this issue has been pushed to the Mageia Updates repository.