Fedora has issued an advisory today (March 29): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UPUOI6NCEB6H6YHKN7M4V3CAQD63NXAU/ The issue is fixed upstream in 1.1.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.1.2
Fixed both mga6 and cauldron!
CC: (none) => geiger.david68210
Advisory: ======================== Updated svgsalamander package fixes security vulnerability: A vulnerability was found in the svgsalamander library. If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF (CVE-2017-5617). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5617 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UPUOI6NCEB6H6YHKN7M4V3CAQD63NXAU/ ======================== Updated packages in core/updates_testing: ======================== svgsalamander-1.1.2-1.mga6 svgsalamander-javadoc-1.1.2-1.mga6 from svgsalamander-1.1.2-1.mga6.src.rpm
Version: Cauldron => 6Assignee: java => qa-bugsWhiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Tried to find some testcase, but all I find delves too deep for me in Java. Tried: # urpmq --whatrequires svgsalamander josm svgsalamander So installed josm, but when I try to use it from the CLI it first throws pages of errors, finally starts up, but loading any of the maps available from the menu just results in a black screen even after 20 min. Of course in such case, there are no refs to svgsalamander in the trace. Clean install is all I get at the moment.
CC: (none) => herman.viaene
Clean install and upgrade are sufficient.
OK, will be done.
Whiteboard: (none) => MGA6-32-OK
Installed and tested without issue. System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. Tested using josm. There were some error messages when starting josm but nothing related to svgsalamander. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => mageiaWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Validating. Advisory in Comment 2
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0160.html
Status: NEW => RESOLVEDResolution: (none) => FIXED