Fedora has issued an advisory on March 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/ It sounds like there's more to this issue than just the one patch linked from the RedHat bug, and upgrading to 3.19.0 is the only way to safely fix all of it.
Status comment: (none) => Fixed upstream in 3.19.0
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => tarakbumba
Reassigning to all packagers collectively as the original maintainer is not available anymore (thanks for all your work Atilla!).
Assignee: tarakbumba => pkg-bugs
version 3.27.1 pushed also to mga6 to solve that issue.
CC: (none) => brunoStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Besides calibre-3.27.1-1.mga6, IIRC, I saw you push some other packages to mga6 updates_testing in the last few days that were deps for this package. You need to list those packages (SRPMS and RPMS) and provide a note as to why they needed to be updated.
Keywords: (none) => feedback
Indeed David python-html5-parser had to be added to MGA6 as it's a new dependency for calibre since version 3.5.0 and was required to allow calibre to be built. I pushed the SRPM python-html5-parser-0.4.4-2.mga6.src.rpm and the corresponding RPMS python-html5-parser-0.4.4-1.1.mga6.x86_64.rpm & python3-html5-parser-0.4.4-2.mga6.x86_64.rpm
Thanks :D Advisory: ======================== Updated calibre package fixes security vulnerability: gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call (CVE-2018-7889). The python-html5-parser package is a new dependency for the updated calibre package and has been included with this update. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7889 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/ ======================== Updated packages in core/updates_testing: ======================== python-html5-parser-0.4.4-1.1.mga6 python3-html5-parser-0.4.4-1.1.mga6 calibre-3.27.1-1.mga6 from SRPMS: python-html5-parser-0.4.4-1.1.mga6.src.rpm calibre-3.27.1-1.mga6.src.rpm
Keywords: feedback => (none)
Installed and tested with ONE ISSUE FOUND. TL;DR: The package calibre needs to depend on the package python-msgpack to fix a missing package error. Tests included: - Reading books; - Adding books; - Deleting books; - Managing metadata; - Downloading metadata from google and amazon; - Converting formats; - FAILED: Content server DOES NOT WORK due to a missing package "python-msgpack" (see error below). After installing the missing package the issue is resolved. To solve this a dependency is needs to be added to the calibre package. Missing package error: =========================================================calibre, version 3.27.1 ERRO: Exceção não tratada: <b>ImportError</b>:No module named msgpack calibre 3.27.1 embedded-python: False is64bit: True Linux-4.14.70-desktop-2.mga6-x86_64-with-mageia-6-Official Linux ('64bit', 'ELF') ('Linux', '4.14.70-desktop-2.mga6', '#1 SMP Thu Sep 20 22:05:46 UTC 2018') Python 2.7.15 Linux: ('Mageia', '6', 'Official') Interface language: pt Traceback (most recent call last): File "/usr/lib64/calibre/calibre/gui2/actions/device.py", line 215, in toggle_content_server self.gui.start_content_server() File "/usr/lib64/calibre/calibre/gui2/ui.py", line 482, in start_content_server from calibre.srv.embedded import Server File "/usr/lib64/calibre/calibre/srv/embedded.py", line 13, in <module> from calibre.srv.handler import Handler File "/usr/lib64/calibre/calibre/srv/handler.py", line 13, in <module> from calibre.srv.routes import Router File "/usr/lib64/calibre/calibre/srv/routes.py", line 15, in <module> from calibre.utils.serialize import msgpack_dumps, json_dumps, MSGPACK_MIME File "/usr/lib64/calibre/calibre/utils/serialize.py", line 10, in <module> import msgpack ImportError: No module named msgpack ========================================================= $ uname -a Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ LANGUAGE=C urpmi calibre To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") python-chardet 2.3.0 3.mga6 noarch python-regex 2015.11.22 1.mga6 x86_64 (medium "Core Updates Testing") calibre 3.27.1 1.mga6 x86_64 python-html5-parser 0.4.4 1.1.mga6 x86_64 python-lxml 3.8.0 1.1.mga6 x86_64 3.8MB of additional disk space will be used. 29MB of packages will be retrieved. Proceed with the installation of the 5 packages? (Y/n) <SNIP>
CC: (none) => mageia
Thanks for your test. Package updated to include the missing dep in calibre-3.27.1-2.mga6
Installed and tested without issues. The issue, missing dependency for package python-msgpack, referred in comment #7 is fixed. $ LANGUAGE=C urpmi calibre To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") python-msgpack 0.4.6 3.mga6 x86_64 (medium "Core Updates Testing") calibre 3.27.1 2.mga6 x86_64 253KB of additional disk space will be used. 28MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n)
Whiteboard: (none) => MGA6-64-OK
Bruno, please remember to use a subrel when making such fixes the future instead of bumping the rel (but thanks for fix).
I'm not sure I get the rule :-( For lilypond you asked me to *not* use subrel to avoid the mga7 version to be lower than the mga6 so that's what I applied here. (BTW calibre in mga7 has the tag 3, so will be higher). Let me know what I'm missing.
It's very simple. When you upgrade a package to a new version (as you did with lilypond), the release tag is 1 and there is no subrel, just as in Cauldron. For stable releases, whenever you rebuild an existing version of a package, you always increment the subrel (or add it if there isn't one). At no time do you ever increment a release tag in stable releases.
Validating. Suggested advisory in Comment 6 needs to be updated to include the missing dep from the first test.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0399.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
python-lxml-3.8.0-1.1.mga6 was missed from the advisory, causing bug 23737... now fixed