openSUSE has issued an advisory today (August 17): https://lists.opensuse.org/opensuse-updates/2017-08/msg00065.html The issue is fixed upstream in 2.3. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
pushed in updates_testing src.rpm: fossil-2.3-1.mga6 fossil-2.3-1.mga5
CC: (none) => mageiaVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: shlomif => qa-bugs
Advisory: ======================== Updated fossil package fixes security vulnerability: Potential XSS vulnerability on the /help webpage (boo#1053267). References: https://lists.opensuse.org/opensuse-updates/2017-08/msg00065.html ======================== Updated packages in core/updates_testing: ======================== fossil-2.3-1.mga5 fossil-2.3-1.mga6 from SRPMS: fossil-2.3-1.mga5.src.rpm fossil-2.3-1.mga6.src.rpm
MGA5-32 on Asus A6000VM Xfce. No installation issues. Used https://www.fossil-scm.org/xfer/doc/tip/www/quickstart.wiki to do a few tests at CLI: $ cd Documenten.orig/ $ fossil init testfossil project-id: a626effdcfd7a443020645fe64c63c708e61ef3e server-id: b845888f56ef71cf4c9d0ac5ed163020b1d76adc admin-user: tester5 (initial password is "5488cc") $ fossil info testfossil project-name: <unnamed> project-code: a626effdcfd7a443020645fe64c63c708e61ef3e $ fossil clone http://www.fossil-scm.org/ testfossil1 Round-trips: 6 Artifacts sent: 0 received: 37310 Clone done, sent: 1583 received: 27418235 ip: 45.33.6.223 Rebuilding repository meta-data... 100.0% complete... Extra delta compression... Vacuuming the database... project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333 server-id: e474c7e9d484d6e8a66cc51da65b28d257c40a5c admin-user: tester5 (password is "720adc") $ fossil open testfossil project-name: <unnamed> repository: /home/tester5/Documenten.orig/testfossil local-root: /home/tester5/Documenten.orig/ config-db: /home/tester5/.fossil project-code: a626effdcfd7a443020645fe64c63c708e61ef3e checkout: de5bc8941f8150190b4b83d0cb305eb9460b4309 2017-08-19 08:57:36 UTC tags: trunk comment: initial empty check-in (user: tester5) check-ins: 1 $ fossil status testfossil repository: /home/tester5/Documenten.orig/testfossil local-root: /home/tester5/Documenten.orig/ config-db: /home/tester5/.fossil checkout: de5bc8941f8150190b4b83d0cb305eb9460b4309 2017-08-19 08:57:36 UTC tags: trunk comment: initial empty check-in (user: tester5) Enough for me. This stuff is not exactly my cup of tea.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Tested OK on Mageia 6 x86_64 using this quick start guide: http://chiselapp.com/user/cutterpillow/repository/fossil-iOS/doc/tip/www/quickstart.wiki $ fossil clone http://grotesque.invergo.net/fossil grotesque.fossil Round-trips: 5 Artifacts sent: 0 received: 1928 Clone done, sent: 1363 received: 47987297 ip: 75.119.200.169 Rebuilding repository meta-data... 100.0% complete... Extra delta compression... Vacuuming the database... project-id: d82a7f44a5bf43cde54848e784f161118e3dd7ef server-id: b81d7beb5ff8412dd39eb093343e35601d7cc904 admin-user: akien (password is "2a4ed6") $ fossil ui grotesque.fossil Listening for HTTP requests on TCP port 8080 // shows this website, logged in as admin, on localhost: http://grotesque.invergo.net/fossil/index $ mkdir grotesque $ cd grotesque $ fossil open ../grotesque.fossil [list of files] project-name: Grotesque repository: /home/akien/Projects/libregames/grotesque/../grotesque.fossil local-root: /home/akien/Projects/libregames/grotesque/ config-db: /home/akien/.fossil project-code: d82a7f44a5bf43cde54848e784f161118e3dd7ef checkout: a722c0f34a925f10fd92532d164351628c0dc31d 2015-09-15 20:47:11 UTC parent: 043f96d9cceff5dec9d9147298d142c19153b1a3 2015-01-18 10:32:15 UTC merged-from: 813e7abddb48450e69feec0fa2348baaac7c577d 2015-05-06 22:07:43 UTC child: acff50b01ac2a4056d9858565ee381c61189aeec 2015-09-15 20:58:51 UTC tags: trunk comment: merge in sqlite branch (user: brandon) check-ins: 564 $ nano README // did some random changes $ fossil changes EDITED README $ fossil diff Index: README ================================================================== --- README +++ README @@ -21,11 +21,11 @@ #+TITLE: Grotesque * About Grotesque is a program for organizing and exploring your interactive fiction -library. +library. It can also be used to test fossil security updates. Grotesque is copyright 2009, 2010 Per Liedman and 2011, 2012, 2014 Brandon Invergo. See the file COPYING for licensing information. * Requirements $ fossil commit -m "Hello QA." Autosync: http://grotesque.invergo.net/fossil Round-trips: 1 Artifacts sent: 0 received: 0 Pull done, sent: 321 received: 355 ip: 75.119.200.169 New_Version: f97fc6636a1e3acbe25d5ebe2b92973a17f62e31 Autosync: http://grotesque.invergo.net/fossil Round-trips: 1 Artifacts sent: 2 received: 0 Error: not authorized to write Round-trips: 1 Artifacts sent: 2 received: 0 Sync done, sent: 702 received: 382 ip: 75.119.200.169 Autosync failed. (the failure is probably normal, I did not configure my fossil identity to be able to do actual changes)
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Validating, advisory uploaded. Also comments 3 and 4 can serve as procedure for a future update.
CC: (none) => sysadmin-bugsWhiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => avisory has_procedure MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => validated_update
Whiteboard: avisory has_procedure MGA5TOO MGA5-32-OK MGA6-64-OK => advisory has_procedure MGA5TOO MGA5-32-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0285.html
Status: NEW => RESOLVEDResolution: (none) => FIXED