A security issue in Trojita has been announced:
The fix shows the CVE:
The fix should be included in an upstream 0.8 release shortly.
Mageia 7 is also affected.
Assigning to DavidG who has done most recent commmits; CC'ing Matteo (reg mtr) for info.
Fixed on Cauldron!
Patch available from upstream
Like for Cauldron I updated trojita for mga7!
Updated trojita package fixes security vulnerability:
Damian Poddebniak discovered a TLS verification failure in Trojitá. When
sending e-mails over SMTP, all TLS errors were ignored (CVE-2020-15047).
Updated packages in core/updates_testing:
Patch available from upstream =>
There is a strange issue with this update package.
I have trojita installed.
$ rpm -q trojita
I have the testing repositories enabled and can find the newer package in the testing repositories.
$ urpmf -f -m --name trojita
Core Updates Testing:trojita-0.7-5.git20200625.1.mga7.x86_64
Core 32bit Release:trojita-0.7-5.mga7.i586
Core 32bit Updates Testing:trojita-0.7-5.git20200625.1.mga7.i586
But running an update does NOT show the new trojita package anywhere.
$ urpmi --auto-update --auto --test | grep -i trojita
$ ### No reference to package trojita!!!!!!!
I also tried rpmdrake but it does NOT show the new trojita package either.
(See attached screenshot.)
I tried forcing a full update of the local urpmi data but that didn't change the situation.
$ urpmi.update -a -ff
It is the first time I see such a situation.
Is this due to something wrong the the new package?
Or maybe with the mirror?
System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.
Created attachment 12189 [details]
screenshot of rpmdrake NOT showing new trojita package.
Confirmed. I installed trojita-0.7-5.mga7.x86_64 and its dependency.
Then I used QA Repo to find and download trojita-0.7-5.git20200625.1.mga7, but for some reason it is not being recognized by Mageia Update as an update to the installed package.
A package-naming issue, perhaps?
Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's what it's trying to compare in the release tag.