Ubuntu has issued an advisory today (July 3): https://usn.ubuntu.com/3701-1/ Mageia 5 and Mageia 6 are also affected.
Fedora has also issued an advisory for this today: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SBREWZ3EEDYWG6PCLWL2EJ24ME5ZFAX6/
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing ovitters, who pushed this package most often, and neoclust, who fixed CVE-2017-2885 in this package for Mga6
CC: (none) => mageia, marja11, olavAssignee: bugsquad => pkg-bugs
Patched packages uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libsoup package fixes security vulnerability: It was discovered that libsoup versions 2.63.2 and prior incorrectly handled certain cookie requests. An attacker could possibly use this to cause a denial of service (CVE-2018-12910). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12910 https://security-tracker.debian.org/tracker/CVE-2018-12910 https://usn.ubuntu.com/3701-1/ ======================== Updated packages in core/updates_testing: ======================== libsoup-i18n-2.58.2-1.1.mga6.noarch.rpm lib64soup2.4_1-2.58.2-1.1.mga6 lib64soup-devel-2.58.2-1.1.mga6 lib64soup-gir2.4-2.58.2-1.1.mga6 from libsoup-2.58.2-1.1.mga6.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21487#c10
Keywords: (none) => has_procedureCC: (none) => mramboVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 Referred to the tests on bug 21487. Tried out banshee, darktable and shotwell successfully and confirmed that libsoup was involved in running shotwell. $ strace shotwell 2> trace $ grep soup trace open("/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 14 stat("/usr/lib64/gstreamer-1.0/libgstsouphttpsrc.so", {st_mode=S_IFREG|0755, st_size=71104, ...}) = 0 write(13, "soup\0", 5) = 5 write(13, "libsoup HTTP client src/sink\0", 29) = 29 write(13, "souphttpsrc\0", 12) = 12 write(13, "souphttpclientsink\0", 19) = 19 Updated the four packages and ran those applications again. Imported local music tracks and played them in banshee. Youtube music videos played fine also. Used darktable in lighttable mode to select images and manipulated them in the darkroom section, rotations, changing contrast, brightness and colour ranges, changed shape of tone curve, field of view... No obvious problems. No regressions in shotwell. pix worked fine as well - was able to add a comment to one image and see it displayed on refreshing the browser view. Loaded midori and was able to browse the web and search. This looks OK for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0328.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED