Bug 26226 - inn new security issue CVE-2019-3692
Summary: inn new security issue CVE-2019-3692
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 21:18 CET by David Walser
Modified: 2020-12-27 15:39 CET (History)
1 user (show)

See Also:
Source RPM: inn-2.6.3-2.mga8.src.rpm
CVE:
Status comment: Fix described in bug report


Attachments

Description David Walser 2020-02-20 21:18:04 CET
openSUSE has issued an advisory today (February 20):
https://lists.opensuse.org/opensuse-updates/2020-02/msg00083.html

We do have protected_hardlinks set, so we don't need to push an update for Mageia 7, but we should fix it in SVN there and fix Cauldron the same way openSUSE did.

Basically they got rid of the chown calls in post and instead of doing the touch as root, did "runuser -u news -g news touch ..." with the files at the end.
David Walser 2020-02-21 17:57:01 CET

Status comment: (none) => Fix described in bug report

Comment 1 Lewis Smith 2020-02-22 19:07:19 CET
In the absence of an obvious maintainer for this package, assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2020-12-27 15:39:12 CET
fixed in cauldron

Resolution: (none) => FIXED
CC: (none) => mageia
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.