Debian-LTS has issued a security advisory on September 15: https://www.debian.org/lts/security/2020/dla-2374 The issue is fixed upstream in 3.36.5.
This has been maintained by various packagers, so assigning it to the Gnome team.
Assignee: bugsquad => gnome
openSUSE has issued an advisory for this on October 7: https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html
Upstream and openSUSE fix: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/98ab6ae70d7b4428579f1365e93f58cb8bd8aa02 https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/gnome-shell/gnome-shell-CVE-2020-17489.patch?expand=1
Status comment: (none) => Patch available from upstream and openSUSE
can QA check if we are affected by this bug ?
CC: (none) => mageia
Is there a reason to think we're not?
Advisory: ======================== Updated gnome-shell packages fix security vulnerability: An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.) (CVE-2020-17489). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17489 https://www.debian.org/lts/security/2020/dla-2374 ======================== Updated packages in core/updates_testing: ======================== gnome-shell-3.32.1-2.2.mga7 from gnome-shell-3.32.1-2.2.mga7.src.rpm
Assignee: gnome => qa-bugsStatus comment: Patch available from upstream and openSUSE => (none)
installed - logged out - rebooted no issues
CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2020-17489
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0316.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED