Fedora has issued an advisory on July 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ATQICUTC3SZKJL3EMABRNBONN6TJYMEN/ It doesn't say what the security issue is, and I can't find a changelog upstream either. If there really is an issue, Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
*** Bug 23033 has been marked as a duplicate of this bug. ***
CC: (none) => rverschelde
I wonder if it wasn't tagged "security" by mistake. The only commit in 0.13.4 that could relate to a potential security issue is https://github.com/transifex/transifex-client/commit/80414a6e98a7b2522e3685ae7af83bf13605a27d Maybe they used to accept any kind of file and that could be used to target their server somehow. At any rate I was working on an update to 0.13.3 in bug 23033, so I'll move to 0.13.4 here.
0.13.4 pushed to Cauldron and 6 core/updates_testing. The Mageia 6 update comes with python-slugify which is a new dependency. I still can't really see this commit 80414a6 as fixing an actual security vulnerability, so I'd propose to downgrade this bug report to a simple bugfix. But I'll let you decide David. Advisory: ========= Updated transifex-client package to support transifex.com features This update brings the latest stable version of transifex-client to Mageia 6, allowing users to benefit from bug fixes and new features to use together with the transifex.com API. See the listed changelogs for details. References: - https://github.com/transifex/transifex-client/releases/tag/0.12.5 - https://github.com/transifex/transifex-client/releases/tag/0.13.0 - https://github.com/transifex/transifex-client/releases/tag/0.13.1 - https://github.com/transifex/transifex-client/releases/tag/0.13.2 - https://github.com/transifex/transifex-client/releases/tag/0.13.3 - https://github.com/transifex/transifex-client/releases/tag/0.13.4 RPMs in core/updates_testing: ============================= python2-slugify-1.2.5-1.mga6.noarch python3-slugify-1.2.5-1.mga6.noarch transifex-client-0.13.4-1.mga6.noarch SRPMs in core/updates_testing: ============================== python-slugify-1.2.5-1.mga6 transifex-client-0.13.4-1.mga6 CC Filip and Yuri to help testing it as they use tx-client for Mageia translations. To install the update candidate, you can use `urpmi --searchmedia testing transifex-client`.
Version: Cauldron => 6Assignee: rverschelde => qa-bugsCC: (none) => filip.komar, yurchorWhiteboard: MGA6TOO => (none)
Yeah it could have been marked security by mistake. It happens sometimes.
Component: Security => RPM PackagesQA Contact: security => (none)Summary: transifex-client possible new security issue fixed upstream in 0.13.4 => transifex-client 0.13.4
I've pushed a transifex-client-0.13.4-1.1.mga6 with an additional fix, as the upstream version had a spammy warning message which should only be an info message (https://github.com/transifex/transifex-client/issues/237). RPMs in core/updates_testing: ============================= python2-slugify-1.2.5-1.mga6.noarch python3-slugify-1.2.5-1.mga6.noarch transifex-client-0.13.4-1.1.mga6.noarch SRPMs in core/updates_testing: ============================== python-slugify-1.2.5-1.mga6 transifex-client-0.13.4-1.1.mga6
Tested successfully on Mageia 6 x86_64.
Source RPM: transifex-client-0.13.3-1.mga7.src.rpm => transifex-client-0.12.4-1.mga6Whiteboard: (none) => MGA6-64-OK
Advisory uploaded, validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2018-0133.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED