Security issues in fossil have been announced today (August 20): https://www.openwall.com/lists/oss-security/2020/08/20/1 There is a link in the message above to a location for patches to fix the issues. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks reporting this. Immediately assigning to current registered packager.
CC: (none) => ouaurelienAssignee: bugsquad => shlomif
Fossil 2.12.1 was uploaded to cauldron. Do you think it will be ok to upgrade the mga7-updates' packaged release to 2.12.1 as well?
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
https://fossil-scm.org/fossil/doc/trunk/www/changes.wiki 2.10.2 is closer to Mageia 7's 2.8 and also contains the security fixes.
Source RPM: fossil-2.10-2.mga8.src.rpm => fossil-2.8-1.mga7.src.rpm
CC: ouaurelien => (none)
CVE-2020-24614 assigned: https://www.openwall.com/lists/oss-security/2020/08/25/1
Summary: fossil new security issue allows remote code execution => fossil new security issue allows remote code execution (CVE-2020-24614)
Updated package uploaded by Shlomi. Advisory: ======================== Updated fossil package fixes security vulnerability: Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository (CVE-2020-24614). The fossil package has been updated to version 2.10.2, containing fixes for this issue, fixes for other bugs and security issues, and additional enhancements. See the changes list for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24614 https://www.openwall.com/lists/oss-security/2020/08/25/1 https://fossil-scm.org/fossil/doc/trunk/www/changes.wiki ======================== Updated packages in core/updates_testing: ======================== fossil-2.10.2-1.mga7 from fossil-2.10.2-1.mga7.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Testing along lines in bug21551 Comment 3 and 4 $ fossil help Usage: fossil help TOPIC Common commands: (use "fossil help help" for more options) add cat fusefs merge revert ui addremove changes gdiff mv rm undo all clean git open settings unpublished amend clone grep praise sql unversioned annotate commit help publish stash update bisect delete import pull status version blame diff info push sync branch extras init rebuild tag bundle finfo ls remote-url timeline This is fossil version 2.10.2 [12d2ad00de] 2020-08-20 13:18:36 UTC $ fossil version This is fossil version 2.10.2 [12d2ad00de] 2020-08-20 13:18:36 UTC $ cd Doc Documents/ Documents.test/ $ cd Documents.test/ $ fossil init testfossil project-id: 2be92d53511c3119e5604a39f1e0e2f8fa3da063 server-id: d1aaac0565e7855e649e8b56e1a0be597a314f53 admin-user: tester7 (initial password is "VqHA75uyCa") $ fossil info testfossil project-name: <unnamed> project-code: 2be92d53511c3119e5604a39f1e0e2f8fa3da063 $ fossil clone http://www.fossil-scm.org/ testfossil1 redirect with status 301 to http://www.fossil-scm.org/home redirect with status 301 to https://www.fossil-scm.org/home Round-trips: 8 Artifacts sent: 0 received: 48490 Clone done, sent: 2595 received: 36233856 ip: 45.33.6.223 Rebuilding repository meta-data... 100.1% complete... Extra delta compression... Vacuuming the database... project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333 server-id: f0eda3ba4dbf1dd1be1acb0803bcd42386be658b admin-user: tester7 (password is "pQyJYU9KPq") $ fossil open testfossil project-name: <unnamed> repository: /home/tester7/Documents.test/testfossil local-root: /home/tester7/Documents.test/ config-db: /home/tester7/.fossil project-code: 2be92d53511c3119e5604a39f1e0e2f8fa3da063 checkout: fc7d174477c35ebd65294fa614641a5163d04eb3 2020-08-29 11:27:57 UTC tags: trunk comment: initial empty check-in (user: tester7) check-ins: 1 $ fossil status testfossil repository: /home/tester7/Documents.test/testfossil local-root: /home/tester7/Documents.test/ config-db: /home/tester7/.fossil checkout: fc7d174477c35ebd65294fa614641a5163d04eb3 2020-08-29 11:27:57 UTC tags: trunk comment: initial empty check-in (user: tester7) $ fossil ui testfoss testfossil testfossil1 $ fossil ui testfossil1 Listening for HTTP requests on TCP port 8080 brings browser to Fossil:Home http://localhost:8080/doc/trunk/www/index.wiki On second CLI tab $ fossil add config.yaml ADDED config.yaml $ fossil commit -m "eerste bestand" New_Version: ec9262068615c61657a1c40d4b7ab86e4f7fd07670a38b875aacc582774ed28e [tester7@mach5 Documents.test]$ fossil ui Listening for HTTP requests on TCP port 8081 This brings browser to Unnamed Fossil ProjectTimeline http://localhost:8081/timeline?c=current showing 2 check-ins occurring around current: the initial heck-in and the one labeled "eerste bestand" Opened a ticket in this site:is acaepted and shown in report list For me that all looks OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0354.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED