Bug 23317 - transifex-client 0.13.4
Summary: transifex-client 0.13.4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
: 23033 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-07-17 15:20 CEST by David Walser
Modified: 2018-07-24 00:28 CEST (History)
4 users (show)

See Also:
Source RPM: transifex-client-0.12.4-1.mga6
CVE:
Status comment:


Attachments

Description David Walser 2018-07-17 15:20:32 CEST
Fedora has issued an advisory on July 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ATQICUTC3SZKJL3EMABRNBONN6TJYMEN/

It doesn't say what the security issue is, and I can't find a changelog upstream either.

If there really is an issue, Mageia 6 is also affected.
David Walser 2018-07-17 15:20:49 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Rémi Verschelde 2018-07-17 15:52:40 CEST
*** Bug 23033 has been marked as a duplicate of this bug. ***

CC: (none) => rverschelde

Comment 2 Rémi Verschelde 2018-07-17 15:56:42 CEST
I wonder if it wasn't tagged "security" by mistake.

The only commit in 0.13.4 that could relate to a potential security issue is https://github.com/transifex/transifex-client/commit/80414a6e98a7b2522e3685ae7af83bf13605a27d
Maybe they used to accept any kind of file and that could be used to target their server somehow.

At any rate I was working on an update to 0.13.3 in bug 23033, so I'll move to 0.13.4 here.
Comment 3 Rémi Verschelde 2018-07-17 17:26:31 CEST
0.13.4 pushed to Cauldron and 6 core/updates_testing. The Mageia 6 update comes with python-slugify which is a new dependency.

I still can't really see this commit 80414a6 as fixing an actual security vulnerability, so I'd propose to downgrade this bug report to a simple bugfix. But I'll let you decide David.

Advisory:
=========

Updated transifex-client package to support transifex.com features

  This update brings the latest stable version of transifex-client to Mageia 6,
  allowing users to benefit from bug fixes and new features to use together with
  the transifex.com API.

  See the listed changelogs for details.

References:
 - https://github.com/transifex/transifex-client/releases/tag/0.12.5
 - https://github.com/transifex/transifex-client/releases/tag/0.13.0
 - https://github.com/transifex/transifex-client/releases/tag/0.13.1
 - https://github.com/transifex/transifex-client/releases/tag/0.13.2
 - https://github.com/transifex/transifex-client/releases/tag/0.13.3
 - https://github.com/transifex/transifex-client/releases/tag/0.13.4


RPMs in core/updates_testing:
=============================

python2-slugify-1.2.5-1.mga6.noarch
python3-slugify-1.2.5-1.mga6.noarch
transifex-client-0.13.4-1.mga6.noarch


SRPMs in core/updates_testing:
==============================

python-slugify-1.2.5-1.mga6
transifex-client-0.13.4-1.mga6


CC Filip and Yuri to help testing it as they use tx-client for Mageia translations. To install the update candidate, you can use `urpmi --searchmedia testing transifex-client`.

Version: Cauldron => 6
Assignee: rverschelde => qa-bugs
CC: (none) => filip.komar, yurchor
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2018-07-17 18:01:57 CEST
Yeah it could have been marked security by mistake.  It happens sometimes.

Component: Security => RPM Packages
QA Contact: security => (none)
Summary: transifex-client possible new security issue fixed upstream in 0.13.4 => transifex-client 0.13.4

Comment 5 Rémi Verschelde 2018-07-23 11:26:22 CEST
I've pushed a transifex-client-0.13.4-1.1.mga6 with an additional fix, as the upstream version had a spammy warning message which should only be an info message (https://github.com/transifex/transifex-client/issues/237).

RPMs in core/updates_testing:
=============================

python2-slugify-1.2.5-1.mga6.noarch
python3-slugify-1.2.5-1.mga6.noarch
transifex-client-0.13.4-1.1.mga6.noarch

SRPMs in core/updates_testing:
==============================

python-slugify-1.2.5-1.mga6
transifex-client-0.13.4-1.1.mga6
Comment 6 Rémi Verschelde 2018-07-23 11:27:56 CEST
Tested successfully on Mageia 6 x86_64.

Source RPM: transifex-client-0.13.3-1.mga7.src.rpm => transifex-client-0.12.4-1.mga6
Whiteboard: (none) => MGA6-64-OK

Comment 7 Rémi Verschelde 2018-07-23 11:30:34 CEST
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-07-24 00:28:51 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2018-0133.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.