A security issue in Trojita has been announced: https://www.openwall.com/lists/oss-security/2020/06/25/1 The fix shows the CVE: https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/ The fix should be included in an upstream 0.8 release shortly. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to DavidG who has done most recent commmits; CC'ing Matteo (reg mtr) for info.
Assignee: bugsquad => geiger.david68210CC: (none) => matteo.pasotti
Fixed on Cauldron!
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Source RPM: trojita-0.7-8.git20200520.2.mga8.src.rpm => trojita-0.7-5.mga7.src.rpm
Status comment: (none) => Patch available from upstream
Like for Cauldron I updated trojita for mga7! - trojita-0.7-5.git20200625.1.mga7
Advisory: ======================== Updated trojita package fixes security vulnerability: Damian Poddebniak discovered a TLS verification failure in Trojitá. When sending e-mails over SMTP, all TLS errors were ignored (CVE-2020-15047). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15047 https://www.openwall.com/lists/oss-security/2020/06/25/1 https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/ ======================== Updated packages in core/updates_testing: ======================== trojita-0.7-5.git20200625.1.mga7 from trojita-0.7-5.git20200625.1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210Status comment: Patch available from upstream => (none)
There is a strange issue with this update package. I have trojita installed. $ rpm -q trojita trojita-0.7-5.mga7 I have the testing repositories enabled and can find the newer package in the testing repositories. $ urpmf -f -m --name trojita Core Release:trojita-0.7-5.mga7.x86_64 Core Updates Testing:trojita-0.7-5.git20200625.1.mga7.x86_64 Core 32bit Release:trojita-0.7-5.mga7.i586 Core 32bit Updates Testing:trojita-0.7-5.git20200625.1.mga7.i586 But running an update does NOT show the new trojita package anywhere. $ urpmi --auto-update --auto --test | grep -i trojita $ ### No reference to package trojita!!!!!!! I also tried rpmdrake but it does NOT show the new trojita package either. (See attached screenshot.) I tried forcing a full update of the local urpmi data but that didn't change the situation. $ urpmi.update -a -ff It is the first time I see such a situation. Is this due to something wrong the the new package? Or maybe with the mirror? System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.
CC: (none) => mageia
Created attachment 12189 [details] screenshot of rpmdrake NOT showing new trojita package.
Confirmed. I installed trojita-0.7-5.mga7.x86_64 and its dependency. Then I used QA Repo to find and download trojita-0.7-5.git20200625.1.mga7, but for some reason it is not being recognized by Mageia Update as an update to the installed package. A package-naming issue, perhaps?
CC: (none) => andrewsfarm
Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's what it's trying to compare in the release tag.
Keywords: (none) => feedback