Ubuntu has issued an advisory on September 5: https://usn.ubuntu.com/usn/usn-3411-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Hi! The packages with the patch were submitted to mga[567]. See http://pkgsubmit.mageia.org/ . Some of the ARM packages are still building.
Thanks Shlomi! Advisory: ======================== Updated bzr package fixes security vulnerability: Adam Collard discovered that Bazaar did not properly handle host names in 'bzr+ssh://' URLs. A remote attacker could use this to construct a bazaar repository URL that when accessed could run arbitrary code with the privileges of the user. References: https://usn.ubuntu.com/usn/usn-3411-1/ ======================== Updated packages in core/updates_testing: ======================== bzr-2.6.0-11.1.mga5 bzr-2.7.0-1.1.mga6 from SRPMS: bzr-2.6.0-11.1.mga5.src.rpm bzr-2.7.0-1.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Assigning to QA. Advisory and package list in Comment 2.
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Working on this for mga6::x86_64. Canonical provides both basic and detailed tutorials.
CC: (none) => tarazed25
mga6 x86_64 Tutorial at http://wiki.bazaar.canonical.com/Tutorials Bazaar is a distributed version control system which works entirely on disk, without a database unless the user wishes to specify one. Everything is handled with shell level commands and extensive help is available at the command line. Set up a local repository and added a hello world text file and committed revision 1. Integrated this report file into the branch with the intention of making edits further along the line. Created a new directory (work) to edit one of the committed files: [lcl@belexeuli work]$ bzr checkout ~/xxx . -r 2 [lcl@belexeuli work]$ ls hello.txt report Ran the update. Resumed editing the report and committed revision 3. [lcl@belexeuli work]$ bzr commit report Committing to: /home/lcl/xxx/ modified report Committed revision 3. [lcl@belexeuli work]$ ls -a ./ ../ .bzr/ hello.txt report .#report@ '#report#' [lcl@belexeuli work]$ ls .bzr branch/ branch-format branch-lock/ checkout/ README repository/ The two lines above indicates how information is attached to the checked out files. The application enforces documentation. Because a message was not supplied on the command line an editor was opened for creating the message. Although simplistic, this test should be sufficient to indicate that the system works after the update.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Went straight for the update after installing bzr on mga5:x86_64. On an mga6 machine with existing bzr project: [lcl@belexeuli ~]$ bzr branch xxx bzr+ssh://vega/home/lcl/zzz Password: Branched 4 revisions. This produced a bzr directory for lcl on vega, an mga5 machine on the LAN. [lcl@vega zzz]$ bzr checkout . xxx -r 4 [lcl@vega zzz]$ ls xxx/ [lcl@vega zzz]$ cd xxx [lcl@vega xxx]$ ls hello.txt report This was a route which seemed to work but in fact led nowhere. Attempts to start with a new tree on the mga5 machine (vega) and merge or pull from belexeuli also failed in the end. This was due to my incomplete knowledge but at least it established that the bzr+ssh protocol works; files were exchanged. $ bzr log bzr+ssh://belexeuli/home/lcl/xxx Password: ------------------------------------------------------------ revno: 4 committer: lcl tarazed25@gmail.com branch nick: xxx timestamp: Fri 2017-09-08 13:35:38 +0100 message: Final report for mga6 ------------------------------------------------------------ ....................................... ------------------------------------------------------------ revno: 1 committer: lcl tarazed25@gmail.com branch nick: xxx timestamp: Fri 2017-09-08 10:53:12 +0100 message: added my first file Started from scratch for mga5: [lcl@vega ~]$ mkdir newbie [lcl@vega ~]$ cd newbie [lcl@vega newbie]$ bzr whoami "lcl <tarazed25@gmail.com>" [lcl@vega newbie]$ bzr init Created a standalone tree (format: 2a) Edited the current report, report.mga5, then committed it. [lcl@vega newbie]$ bzr add report.mga5 adding report.mga5 [lcl@vega newbie]$ bzr commit report.mga5 -m "Initial QA report for mga5" Committing to: /home/lcl/newbie/ added report.mga5 Committed revision 1. [lcl@vega newbie]$ bzr log ------------------------------------------------------------ revno: 1 committer: lcl <tarazed25@gmail.com> branch nick: newbie timestamp: Fri 2017-09-08 15:31:34 +0100 message: Initial QA report for mga5 [lcl@vega newbie]$ bzr add hello.txt adding hello.txt [lcl@vega newbie]$ bzr commit hello.txt -m "The inevitable Hello World item" Committing to: /home/lcl/newbie/ added hello.txt Committed revision 2. The trick to publishing is to use the --use-existing-dir switch otherwise bzr complains about various things. Created empty newbie directory on the remote machine and then published the current branch. $ bzr push --use-existing-dir bzr+ssh://belexeuli/home/lcl/newbie Password: Created new branch. Moved to the newbie directory on the remote machine to check the transfer: $ bzr checkout ~/newbie ~/whatever -r 2 $ cd $ ls whatever hello.txt report.mga5 These simple tests show that the system works. There is obviously a lot more to bzr than this but it should suffice for validation.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues. Got inspiration from http://doc.bazaar.canonical.com/bzr.dev/en/mini-tutorial/index.html $ bzr whoami "HV <herman.viaene@hotmail.be>" $ bzr whoami HV <herman.viaene@hotmail.be> $ bzr init-repo samplebzr Shared repository with trees (format: 2a) Location: shared repository: samplebzr $ bzr init samplebzr/trunk Created a repository tree (format: 2a) Using shared repository: /home/tester5/Documenten/samplebzr/ $ cd samplebzr/trunk/ Created a file test.txt in this directory containing: This is the first line. $ bzr add test1.txt adding test1.txt $ bzr commit -m "Added first line of text" Committing to: /home/tester5/Documenten/samplebzr/trunk/ added test1.txt Committed revision 1. Added to test1.txt second line: This line is added after adding the file to bzr. $ bzr add test1.txt $ bzr diff === modified file 'test1.txt' --- test1.txt 2017-09-09 09:40:16 +0000 +++ test1.txt 2017-09-09 09:41:26 +0000 @@ -1,1 +1,2 @@ -This is the first line. \ No newline at end of file +This is the first line. +This line is added after adding the file to bzr. \ No newline at end of file $ bzr commit -m "Added second line of text" Committing to: /home/tester5/Documenten/samplebzr/trunk/ modified test1.txt Committed revision 2. $ bzr log ------------------------------------------------------------ revno: 2 committer: HV <herman.viaene@hotmail.be> branch nick: trunk timestamp: Sat 2017-09-09 11:43:48 +0200 message: Added second line of text ------------------------------------------------------------ revno: 1 committer: HV <herman.viaene@hotmail.be> branch nick: trunk timestamp: Sat 2017-09-09 11:40:16 +0200 message: Added first line of text OK for me
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OKCC: (none) => herman.viaene
Formidable testing! Advisoried from Comment 2, no CVE. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0336.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This has apparently been assigned CVE-2017-14176. Ubuntu has issued an advisory for this today (October 24): https://usn.ubuntu.com/usn/usn-3411-2/
Summary: bzr new security issue similar to CVE-2017-1000117 => bzr new security issue similar to CVE-2017-1000117 (CVE-2017-14176)