Bug 26859 - trojita new security issue CVE-2020-15047
Summary: trojita new security issue CVE-2020-15047
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-06-25 18:29 CEST by David Walser
Modified: 2021-01-21 23:10 CET (History)
4 users (show)

See Also:
Source RPM: trojita-0.7-5.mga7.src.rpm
CVE:
Status comment:


Attachments
screenshot of rpmdrake NOT showing new trojita package. (162.18 KB, image/png)
2021-01-07 11:24 CET, PC LX
Details

Description David Walser 2020-06-25 18:29:27 CEST
A security issue in Trojita has been announced:
https://www.openwall.com/lists/oss-security/2020/06/25/1

The fix shows the CVE:
https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/

The fix should be included in an upstream 0.8 release shortly.

Mageia 7 is also affected.
David Walser 2020-06-25 18:29:45 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-06-25 21:09:46 CEST
Assigning to DavidG who has done most recent commmits; CC'ing Matteo (reg mtr) for info.

Assignee: bugsquad => geiger.david68210
CC: (none) => matteo.pasotti

Comment 2 David GEIGER 2020-06-26 07:27:45 CEST
Fixed on Cauldron!
David Walser 2020-06-26 14:49:07 CEST

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: trojita-0.7-8.git20200520.2.mga8.src.rpm => trojita-0.7-5.mga7.src.rpm

David Walser 2020-12-28 18:36:58 CET

Status comment: (none) => Patch available from upstream

Comment 3 David GEIGER 2021-01-06 14:31:28 CET
Like for Cauldron I updated trojita for mga7!

- trojita-0.7-5.git20200625.1.mga7
Comment 4 David Walser 2021-01-06 16:14:37 CET
Advisory:
========================

Updated trojita package fixes security vulnerability:

Damian Poddebniak discovered a TLS verification failure in Trojitá. When
sending e-mails over SMTP, all TLS errors were ignored (CVE-2020-15047).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15047
https://www.openwall.com/lists/oss-security/2020/06/25/1
https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/
========================

Updated packages in core/updates_testing:
========================
trojita-0.7-5.git20200625.1.mga7

from trojita-0.7-5.git20200625.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Status comment: Patch available from upstream => (none)

Comment 5 PC LX 2021-01-07 11:23:45 CET
There is a strange issue with this update package.

I have trojita installed.

$ rpm -q trojita
trojita-0.7-5.mga7

I have the testing repositories enabled and can find the newer package in the testing repositories.

$ urpmf -f -m --name trojita 
Core Release:trojita-0.7-5.mga7.x86_64
Core Updates Testing:trojita-0.7-5.git20200625.1.mga7.x86_64
Core 32bit Release:trojita-0.7-5.mga7.i586
Core 32bit Updates Testing:trojita-0.7-5.git20200625.1.mga7.i586

But running an update does NOT show the new trojita package anywhere.

$ urpmi --auto-update --auto --test | grep -i trojita
$ ### No reference to package trojita!!!!!!!

I also tried rpmdrake but it does NOT show the new trojita package either.

(See attached screenshot.)

I tried forcing a full update of the local urpmi data but that didn't change the situation.

$ urpmi.update -a -ff


It is the first time I see such a situation.
Is this due to something wrong the the new package?
Or maybe with the mirror?


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.

CC: (none) => mageia

Comment 6 PC LX 2021-01-07 11:24:34 CET
Created attachment 12189 [details]
screenshot of rpmdrake NOT showing new trojita package.
Comment 7 Thomas Andrews 2021-01-21 23:05:47 CET
Confirmed. I installed trojita-0.7-5.mga7.x86_64 and its dependency. 

Then I used QA Repo to find and download trojita-0.7-5.git20200625.1.mga7, but for some reason it is not being recognized by Mageia Update as an update to the installed package.

A package-naming issue, perhaps?

CC: (none) => andrewsfarm

Comment 8 David Walser 2021-01-21 23:10:31 CET
Yeah the 5 might need to be bumped to a 6.  Perhaps git < mga7 and that's what it's trying to compare in the release tag.

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.