Fedora has issued an advisory today (November 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEGEFJ7FLVRKHGLAE4DKVISLIWBWBFDW/ The issue is fixed upstream in 1.3.6. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the php stack maintainers, CC'ing two committers.
Assignee: bugsquad => phpCC: (none) => guillomovitch, mageia, marja11
this package seems to have only one dep: fusiondirectory, which is maintained by ennael. I'll push the new version.
CC: (none) => mageiaAssignee: php => mageia
since this package was moved from pear to composer, there might be issues. Hopefully ennael can test his package if this still meets all requirements. Suggested advisory: ======================== Updated php-pear-CAS packages fix security vulnerabilities: A XSS vulnerabilities has been fixed for proxy mode. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEGEFJ7FLVRKHGLAE4DKVISLIWBWBFDW/ ======================== Updated packages in core/updates_testing: ======================== php-pear-CAS-1.3.6-1.mga6.noarch.rpm SRPM: php-pear-CAS-1.3.6-1.mga6.src.rpm
Assignee: mageia => qa-bugs
CC: (none) => tmbVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 20722 and bug 10136, I tried to install moodle, but there is no package (anymore?) with this name. Consulting rpmfind, it is in Fedora up to 29, but in Mageia last in Mageia 5 and # urpmq --whatrequires php-pear-CAS php-pear-CAS So I would agree on a clean install. Is that acceptable???
CC: (none) => herman.viaene
Yes moodle was dropped. Clean install/upgrade is sufficient here.
Whiteboard: (none) => MGA6-32-OK
(In reply to David Walser from comment #5) > Yes moodle was dropped. This is drastic - a major application. Trying M6 x64 I found a bit different from Herman: $ urpmq --whatrequires php-pear-CAS | sort -u fusiondirectory $ urpmq --whatrequires-recursive php-pear-CAS | sort -u fusiondirectory fusiondirectory-database + loads of fusiondirectory-plugin-xxx $ urpmq --whatrequires fusiondirectory | sort -u fusiondirectory fusiondirectory-database fusiondirectory-plugin-xxx etc etc This is enigmatic. Are we dealing with packages which are not used? BEFORE update: installed: php-pear-CAS-1.3.5-1.mga6.noarch.rpm which showed unusually: install ok: channel://__uri/CAS-1.3.5 AFTER painless update: php-pear-CAS-1.3.6-1.mga6 > Clean install/upgrade is sufficient here. So OKing it, & validating. Advisory done from comment 3.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => lewyssmith, sysadmin-bugs
(In reply to Lewis Smith from comment #6) > (In reply to David Walser from comment #5) > > Yes moodle was dropped. > This is drastic - a major application. Nonsense. It was yet another webapp that wasn't used by many and wasn't able to be maintained. We've dropped plenty of others like that and need to continue to do that. For Moodle, it was only packaged for us in Mageia 5, and it didn't even last the lifetime of it. I ended support for the package two and a half years ago. It was something that I packaged because I was using it at work, but it was a difficult and complicated package. There was a third party regular expression plugin that I had bundled with it that we needed for grading some quiz questions that broke at times and I had to work with the upstream author to resolve those issues, so that was something that I always had to test when updating Moodle to a new branch, and the last major update I did, they removed the default theme which had been there for years and worked very well, and replaced it with one that was awful and very buggy, which forced me to then also bundle a third party theme that was the only one that didn't break any of our quizzes, so that was another thing that I needed to test every time it was updated, and once the contract I was working on ended, I didn't have the ability to test it anymore. > This is enigmatic. Are we dealing with packages which are not used? Probably, but your urpmq command won't help you determine that. Applications like that are leaf packages and generally wouldn't be required by anything, that doesn't tell you anything about who is using it, but I've never heard anything about anyone using fusiondirectory (which doesn't mean nobody does, but probably very few do).
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0452.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED