Upstream has released new versions on March 21:
There were several security and other bugfixes.
We should update to 2.7.2, and stay on the 2.7.x branch, even in Cauldron, as it is now an LTS branch:
Assigning to all packagers collectively, because the registered maintainer for this package is currently unavailable.
marja11, oe, smelrorAssignee:
openSUSE has issued an advisory today (April 21):
Two of the security fixes have CVEs.
mbedtls new security issues fixed upstream in 2.7.2 =>
mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)
Fixed upstream in 2.7.2
mbedtls-2.7.3-1.mga7 pushed to Cauldron by Stig-Ørjan.
Sysadmins, please remove mbedtls from mga6 core/updates_testing. The wrong version was pushed there.
mbedtls has been updated to fix two security issues.
CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
Rebuilt for the new mbedtls.
dolphin-emu was previously in core, but not in core release. Seems it is also in tainted and perhaps wasn't pushed as a tainted update, or perhaps should not have been built in core when it was last updated.
$ depcheck dolphin-emu
Mageia release 6 (Official) for x86_64
Core 32bit Updates
Core Updates Testing
Tainted 32bit Release
Tainted Updates Testing
Could this be checked please.
So that's an issue with the previous update, not this one.
Sysadmins, would it be possible to remove the previous update from core/updates after this one is pushed?
MGA6-32 on IBM Thinkpad R50e Xfce
Installation: strange, I do not see any bctoolbox at all in the repo, but I find two libbctoolbox packages of the version indicated in Comment 4.
Installed those with the rest of the packages and run the test as per bug 20561:
MD5 test #1: passed
MD5 test #2: passed
.... and at the end:
TIMING tests note: will take some time!
TIMING test #1 (set_alarm / get_timer): passed
TIMING test #2 (set/get_delay ): passed
TIMING test #3 (hardclock / get_timer): failed (ignored)
Executed 23 test suites
[ All tests PASS ]
If the bctoolbox issue can be resolved, then I'll agree to OK this.
@Herman, comment 7
$ sudo urpmi bctoolbox
Package lib64bctoolbox0-0.2.0-4.1.mga6.x86_64 is already installed
So it looks like it is just a library, a toolbox for programmers probably.
$ locate bctoolbox
So my advice is go ahead and OK it.
The master has spoken.
Advisory done as per comment 4; but note that the bug RPMs page has dolphin-emu in both core & tainted. Comments 5 & 6 have a bearing.
SRPMs from 'core-updates_testing'
SRPMs from 'tainted-updates_testing'
(In reply to David Walser from comment #6)
> So that's an issue with the previous update, not this one.
> Sysadmins, would it be possible to remove the previous update from
> core/updates after this one is pushed?
I moved it to tainted/updates to keep the downgrade option available...
An update for this issue has been pushed to the Mageia Updates repository.