Ubuntu has issued an advisory on January 12: https://ubuntu.com/security/notices/USN-4649-2 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
A parentless package, so assigning this bug globally. CC'ing wally as having done another recent security update to it.
CC: (none) => jani.valimaaAssignee: bugsquad => pkg-bugs
Ping packagers.
Whiteboard: MGA7TOO => MGA8TOO
I reverted the patch in Cauldron as Ubuntu did, and added the latest upstream patches, the latest of which is a fix for Plasma 5.19, so we should do this same update for Mageia 8: https://cgit.freedesktop.org/xdg/xdg-utils/log/ I'll let Jani review this before we do anything for Mageia 8.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
One thing I'm confused about too is it appears the reverted patch is still in Ubuntu 21.04. Reading the launchpad bug it sounds like perhaps applications affected by the regression adapted to it? The CVE remains unsolved upstream though.
I've re-added the CVE patch in Cauldron for now, so I guess we'll have to see if anything breaks. I noticed Discord links don't open in Mageia 8 (worked in Mageia 7) so I'm wondering if xdg-open is broken and needs that fix I mentioned for newer Plasma.