Assigning to the registered maintainer, CC'ing two recent committers.

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11, ngompa13, smelror

This bug report was discussed in #mageia-dev last night, the conclusion was that we're not vulnerable.

I don't think Neal and David will mind if I C&P those comments:

2018:04:23:23:10 < Luigi12_work> Pharaoh_Atem: what's your opinion on this?  https://bugs.mageia.org/show_bug.cgi?id=22947
<snip> 
2018:04:23:23:16 < Pharaoh_Atem> according to hughsie, dnf was not vulnerable: 
https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697
<snip>
2018:04:23:23:18 < Pharaoh_Atem> if we still had the urpmi backend enabled in Mageia 6 or Cauldron, this would be a problem
2018:04:23:23:18 < Pharaoh_Atem> but we don't, so it turns out to not matter
2018:04:23:23:19 < Luigi12_work> Pharaoh_Atem: so it sounds like we're OK.  Would you mind making that statement on the bug and closing it as INVALID?  Since you're the expert on this stuff, would carry more weight.
2018:04:23:23:19 < Pharaoh_Atem> yeah
2018:04:23:23:19 < Pharaoh_Atem> as soon as I can actually log into mgabz :/

Closing.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

RedHat has issued an advisory for this today (April 24):
https://access.redhat.com/errata/RHSA-2018:1224

I guess it's because they're using yum and not dnf.

Yeah, Red Hat had the PackageKit-Hif backend for a while as an option, but removed it. Both Hif and DNF backends were not vulnerable, but every other backend is.

Fedora has issued an advisory for this on April 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LVDLEEAY64RYVJIR4LIWUYZ2564A345V/

I thought they weren't affected?

They weren't, but PackageKit 1.1.10 was released, so they did it anyway.

In any case, this doesn't affect us.