A security issue in Trojita has been announced: https://www.openwall.com/lists/oss-security/2020/06/25/1 The fix shows the CVE: https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/ The fix should be included in an upstream 0.8 release shortly. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to DavidG who has done most recent commmits; CC'ing Matteo (reg mtr) for info.
Assignee: bugsquad => geiger.david68210CC: (none) => matteo.pasotti
Fixed on Cauldron!
Version: Cauldron => 7Source RPM: trojita-0.7-8.git20200520.2.mga8.src.rpm => trojita-0.7-5.mga7.src.rpmWhiteboard: MGA7TOO => (none)
Status comment: (none) => Patch available from upstream
Like for Cauldron I updated trojita for mga7! - trojita-0.7-5.git20200625.1.mga7
Advisory: ======================== Updated trojita package fixes security vulnerability: Damian Poddebniak discovered a TLS verification failure in Trojitá. When sending e-mails over SMTP, all TLS errors were ignored (CVE-2020-15047). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15047 https://www.openwall.com/lists/oss-security/2020/06/25/1 https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/ ======================== Updated packages in core/updates_testing: ======================== trojita-0.7-5.git20200625.1.mga7 from trojita-0.7-5.git20200625.1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsStatus comment: Patch available from upstream => (none)
There is a strange issue with this update package. I have trojita installed. $ rpm -q trojita trojita-0.7-5.mga7 I have the testing repositories enabled and can find the newer package in the testing repositories. $ urpmf -f -m --name trojita Core Release:trojita-0.7-5.mga7.x86_64 Core Updates Testing:trojita-0.7-5.git20200625.1.mga7.x86_64 Core 32bit Release:trojita-0.7-5.mga7.i586 Core 32bit Updates Testing:trojita-0.7-5.git20200625.1.mga7.i586 But running an update does NOT show the new trojita package anywhere. $ urpmi --auto-update --auto --test | grep -i trojita $ ### No reference to package trojita!!!!!!! I also tried rpmdrake but it does NOT show the new trojita package either. (See attached screenshot.) I tried forcing a full update of the local urpmi data but that didn't change the situation. $ urpmi.update -a -ff It is the first time I see such a situation. Is this due to something wrong the the new package? Or maybe with the mirror? System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.
CC: (none) => mageia
Created attachment 12189 [details] screenshot of rpmdrake NOT showing new trojita package.
Confirmed. I installed trojita-0.7-5.mga7.x86_64 and its dependency. Then I used QA Repo to find and download trojita-0.7-5.git20200625.1.mga7, but for some reason it is not being recognized by Mageia Update as an update to the installed package. A package-naming issue, perhaps?
CC: (none) => andrewsfarm
Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's what it's trying to compare in the release tag.
Keywords: (none) => feedback
Should be good now in trojita-0.7-6.git20200625.1.mga7.
Keywords: feedback => (none)
urpmi seem the update package and installs the package correctly. Tested by connecting to a IMAP account in dovecot IMAP server. The account has lots of hundreds of folders with many thousands of email in those folders. Usual features seem to work correctly. There is a possible issue. It seems the message signing/encryption/decryption is disabled (see attached screen shot). Is it a build issue? Or maybe a configuration issue? Should I make a separate bug report for this? System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ LANGUAGE=C urpmi --auto-update --test | grep trojita trojita 0.7 6.git2020062> x86_64 $ rpm -q trojita trojita-0.7-5.mga7 $ LANGUAGE=C urpmi trojita installing trojita-0.7-6.git20200625.1.mga7.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ################################# 1/1: trojita ################################# 1/1: removing trojita-0.7-5.mga7.x86_64 ################################# $ rpm -q trojita trojita-0.7-6.git20200625.1.mga7
Created attachment 12310 [details] Trojita about dialog showing encryption/signing is disabled.
This update has been working without issues for over a week and since this is a security update I'm given it an OK for x86_64. Will create a new bug for the signing/encryption/decryption is disabled issue.
Whiteboard: (none) => MGA7-64-OK
(In reply to David Walser from comment #8) > Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's > what it's trying to compare in the release tag. it's because -5.git* < -5.mga* as in "g" < "m"
that's why updating -1.mga7 -> 1.mga8 works without release bump too... rpm compares all of rel
Validated. Advisory in Comment 4.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0082.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED