SUSE has issued an advisory on December 11: http://lists.suse.com/pipermail/sle-security-updates/2019-December/006238.html The issue is fixed upstream in 0.8.8 and 0.9.3: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated libssh packages fix security vulnerability: In an environment where a user is only allowed to copy files and not to execute applications, it would be possible to pass a location which contains commands to be executed in addition (CVE-2019-14889). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14889 https://www.libssh.org/security/advisories/CVE-2019-14889.txt ======================== Updated packages in core/updates_testing: ======================== libssh4-0.8.8-1.mga7 libssh-devel-0.8.8-1.mga7 from libssh-0.8.8-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: bugsquad => qa-bugsVersion: Cauldron => 7
Ubuntu has issued an advisory for this on December 10: https://usn.ubuntu.com/4219-1/
Severity: normal => major
MGA7-64 Plasma on Lenovo B50 At installation: The following Packages have tobe removed for others to be upgraded: curl-examples-7.66.0-1.mga7.noarch (vanwege onvoldane curl-devel >= 1:7.66.0-1.mga7) lib64curl-devel-7.66.0-1.mga7.x86_64 (vanwege ontbrekende devel(libssh(64bit))) lib64ssh-devel-0.8.7-1.mga7.x86_64 (vanwege onvoldane lib64ssh4 == 1:0.8.7-1.mga7) Answer yes and then when applying: devel(libcurl(64bit)) is needed by (geïnstalleerd) lib64netcdf-devel-4.6.1-5.mga7.x86_64
CC: (none) => herman.viaene
You should really run it in English if you're going to paste error messages, but it sounds to me like you asked it to only update lib64ssh4 and not lib64ssh-devel while you have both installed currently.
Removed offending packages one by one in MCC, then installation works OK. Found remmina as dependent on lib64ssh4, so installed it with its vnc-plugin and then $ strace -o lib64ssh4.txt remmina StatusNotifier/Appindicator support: your desktop does support it and libappindicator is compiled in remmina. Good! Checkedt trace file and found reference to /lib64/libssh.so.4. So OK for me. The problem with the installation might have been caused by a left-over of other updates-testing, so AFAICS no reason to withhold the update. @ David: I am probably one of the few running tests in another language than English, and even more probably the only one in Dutch, and I consider this an important part in the testing. I do my best to provide translations, but I will show the original texts, so anyone can get it. BTW: in odd cases, this shows that languages are mixed in some outputs. And yes, I almost always install without the devel packages. It (sometimes, but seldom) pays off by detecting some packaging problem like in bug 25825.
Whiteboard: (none) => MGA7-64-OK
For packaging issues, non-English outputs are not helpful. I believe you can set an environment variable to get English output without changing your user settings. As for installing without devel packages, I agree that's a good idea, but you just have to make sure that you don't already have them installed, as a partial update won't work.
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0402.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 25905 has been marked as a duplicate of this bug. ***
CC: (none) => zombie.ryushu