A CVE has been assigned for a security issue in aria2: https://www.openwall.com/lists/oss-security/2019/01/02/2 I don't believe there is a fix yet. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => cooker
https://github.com/aria2/aria2/issues/1329
See Also: (none) => https://github.com/aria2/aria2/issues/1329CC: (none) => mageia
Fixed in cauldron. Still working on mga6. The patch doesn't fully apply.
Status: NEW => ASSIGNED
I have uploaded a new mga6 package to 6/core/updates_testing aria2-1.25.0-1.1.mga6 Source RPM: aria2-1.25.0-1.1.mga6.src.rpm (I have no idea how you're supposed test this update) It Fixes CVE-2019-3500 Possible advisory: It was observed that URL's which gets downloaded via "--log=" attribute stores sensitive information. This update fixes that.
Assignee: cooker => qa-bugs
Version: Cauldron => 6CC: (none) => tmbWhiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Looking for an example, found https://calomel.org/aria2.html At CLI: ]$ aria2c http://releases.ubuntu.com/12.04.3/ubuntu-12.04.3-server-amd64.iso *** Download Progress Summary as of Mon Jan 14 12:02:39 2019 *** ================================================================================================== [#127edc 216MiB/665MiB(32%) CN:1 DL:3.6MiB ETA:2m4s] FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso -------------------------------------------------------------------------------------------------- *** Download Progress Summary as of Mon Jan 14 12:03:40 2019 *** ================================================================================================== [#127edc 424MiB/665MiB(63%) CN:1 DL:3.2MiB ETA:1m14s] FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso -------------------------------------------------------------------------------------------------- *** Download Progress Summary as of Mon Jan 14 12:04:40 2019 *** ================================================================================================== [#127edc 613MiB/665MiB(92%) CN:1 DL:2.8MiB ETA:18s] FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso -------------------------------------------------------------------------------------------------- [#127edc 664MiB/665MiB(99%) CN:1 DL:3.3MiB] 01/14 12:04:56 [NOTICE] Download afgerond: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 127edc|OK | 3.3MiB/s|/home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso Status Legend: (OK):download completed. Then # mount /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso /run/media/tester6/disk/ mount: /dev/loop0 is schrijfbeveiligd en wordt als alleen-lezen aangekoppeld (mounted readonly) I could view the folders and files in the mounted iso, So looks OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Installed and tested without issues. Tests including downloading files using: - HTTP, HTTPS, FTP, FTPS, SFTP, magnet URI for torrent, torrent file. - Direct connect only, proxy not tested. - With and without username/password for HTTP, HTTPS, FTP, FTPS, SFTP. - Servers used: Pure-FTPd, apache httpd, openssh sshd. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q aria2 aria2-1.25.0-1.1.mga6
CC: (none) => mageiaWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => lewyssmith, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0036.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Ubuntu advisory for this from May 6, for reference: https://usn.ubuntu.com/3965-1/