Debian-LTS has issued an advisory on November 23: https://www.debian.org/lts/security/2020/dla-2465 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => mageiaKeywords: (none) => Triaged
this one is tricky. we have php-pear-Archive_Tar-1.4.10-1 which can't be installed, as it is already provided by php-pear. php-pear is a multi-source rpm and the autosetup macro does not provide multiple -a switches (#27669) which makes it more complicate to patch. Unless we consider this to be severe, I would wait for the next release of php-pear-Archive_Tar and obsolete the conflicting package
Can we patch it in php-pear like Debian did?
only the old way. we have no "setup". only tar -xzf ... so we have to apply the patches manually afterwards :( and due to the autosetup bug, I can't unpack multiple packages in one rpm and patch them afterwards :/
Ubuntu has issued an advisory for this on December 1: https://ubuntu.com/security/notices/USN-4654-1
Source RPM: php-pear-Archive_Tar-1.4.10-1.mga8.src.rpm => php-pear-1.10.12-1.mga8.src.rpm, php-pear-Archive_Tar-1.4.10-1.mga8.src.rpmSummary: php-pear-Archive_Tar new security issues CVE-2020-28948, CVE-2020-28949 => php-pear, php-pear-Archive_Tar new security issues CVE-2020-28948 and CVE-2020-28949
Fedora has issued an advisory for this today (December 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/
Updated php-pear packages fix security vulnerabilities: Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) Updated Archive_Tar to 1.4.11 References: https://www.debian.org/lts/security/2020/dla-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949 ======================== Updated packages in core/updates_testing: ======================== php-pear-1.10.9-1.1.mga7.noarch.rpm SRPM: php-pear-1.10.9-1.1.mga7.src.rpm
Assignee: mageia => qa-bugs
Whiteboard: MGA7TOO => (none)CC: (none) => mageiaVersion: Cauldron => 7
MGA7-64 MATE on Peaq C1011 No installation issues. No previous updates on this specific option, so went looking for info and found https://github.com/pear/Archive_Tar (other site replicated the same info). So tried the two commands for testing $ phpunit tests/ bash: phpunit: command not found and $ pear run-tests -r PHP Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Running 0 tests TOTAL TIME: 00:00 0 PASSED TESTS 0 SKIPPED TESTS Looks to me like other packages are needed to run these tests, but that's not in my league. Unless someone else has a better idea, I will not object on OK on clean install as we often do with developer stuff.
CC: (none) => herman.viaene
The changes are minor, so I think this can be pushed.
Whiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN. Validating. Advisory: ======================== Updated php-pear packages fix security vulnerabilities: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) Updated also Archive_Tar to 1.4.11. References: https://www.debian.org/lts/security/2020/dla-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949 ======================== Updated packages in core/updates_testing: ======================== php-pear-1.10.9-1.1.mga7.noarch.rpm SRPM: php-pear-1.10.9-1.1.mga7.src.rpm
Source RPM: php-pear-1.10.12-1.mga8.src.rpm, php-pear-Archive_Tar-1.4.10-1.mga8.src.rpm => php-pear-1.10.9-1.mga7.src.rpm, php-pear-Archive_Tar-1.4.5-1.mga7.src.rpmKeywords: Triaged => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0453.html
Status: NEW => RESOLVEDResolution: (none) => FIXED