openSUSE has issued an advisory on July 17: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AQ44KVDTB6D2MENE7C2YPVCSV3BXT3B4/ The issue is fixed upstream in 2.14.2: https://fossil-scm.org/home/doc/trunk/www/changes.wiki#v2_14 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.14.2
fixed in mga9
Whiteboard: MGA8TOO => (none)CC: (none) => mageiaVersion: Cauldron => 8
fixed in mga8: src: - fossil-2.14.2-1.mga8
Assignee: geiger.david68210 => qa-bugs
Suggested Advisory: ======================== Updated fossil package fixes security vulnerabilities: Client-side TLS so that it verifies that the server hostname matches its certificate (Fixed in fossil 2.14.2). A data exfiltration bug in the server (Fixed in fossil 2.14.1). References: - https://bugs.mageia.org/show_bug.cgi?id=29266 - https://fossil-scm.org/home/doc/trunk/www/changes.wiki#v2_14 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AQ44KVDTB6D2MENE7C2YPVCSV3BXT3B4/ ======================== Updated package in core/updates_testing: ======================== fossil-2.14.2-1.mga8 from SRPM: fossil-2.14.2-1.mga8.src.rpm
Status comment: Fixed upstream in 2.14.2 => (none)CC: (none) => ouaurelienSource RPM: fossil-2.14-1.mga9.src.rpm => fossil-2.12.1-1.mga8.src.rpm
MGA8-64 Plasma on Lenovo B50 No installation issues Ref bug 27153 Comment 6 for testing. $ fossil help TOPIC Try "fossil help help" or "fossil help -a" for more options Frequently used commands: add cat diff ls revert timeline addremove changes extras merge rm ui all chat finfo mv settings undo amend clean gdiff open sql unversioned annotate clone grep pull stash update bisect commit help push status version blame dbstat info rebuild sync branch delete init remote tag This is fossil version 2.14.2 [fb3938ee09] 2021-06-15 01:00:33 UTC [tester8@mach5 ~]$ fossil version This is fossil version 2.14.2 [fb3938ee09] 2021-06-15 01:00:33 UTC $ cd Documenten.test/ this is a newly created folder on the home folder, thus completely empty. [tester8@mach5 Documenten.test]$ fossil init testfossil project-id: 625324c274456347f877666391c7b2025983ab48 server-id: bb3f378185dc4ac571bb337013d8092f70ce15f0 admin-user: tester8 (initial password is "AxP56FkiCb") [tester8@mach5 Documenten.test]$ ls testfossil [tester8@mach5 Documenten.test]$ fossil info testfossil project-name: <unnamed> project-code: 625324c274456347f877666391c7b2025983ab48 [tester8@mach5 Documenten.test]$ ls -als totaal 232 4 drwxrwxr-x 2 tester8 tester8 4096 jul 26 14:25 ./ 4 drwxr-x--- 24 tester8 tester8 4096 jul 26 14:23 ../ 224 -rw-r--r-- 1 tester8 tester8 229376 jul 26 14:25 testfossil [tester8@mach5 Documenten.test]$ fossil clone http://www.fossil-scm.org/ testfossil1 redirect with status 301 to http://www.fossil-scm.org/home redirect with status 301 to https://www.fossil-scm.org/home Round-trips: 9 Artifacts sent: 0 received: 52932 Clone done, sent: 2966 received: 40760752 ip: 45.33.6.223 Rebuilding repository meta-data... 100.1% complete... Extra delta compression... Vacuuming the database... project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333 server-id: 9dced0bbc2fe88c6d9491cd172132efecf167d57 admin-user: tester8 (password is "PzBxy5DjQi") [tester8@mach5 Documenten.test]$ ls -als totaal 55748 4 drwxrwxr-x 2 tester8 tester8 4096 jul 26 14:29 ./ 4 drwxr-x--- 24 tester8 tester8 4096 jul 26 14:23 ../ 224 -rw-r--r-- 1 tester8 tester8 229376 jul 26 14:25 testfossil 55516 -rw-r--r-- 1 tester8 tester8 56844288 jul 26 14:29 testfossil1 [tester8@mach5 Documenten.test]$ fossil open testfossil directory /home/tester8/Documenten.test is not empty use the -f or --force option to override Of course it's not empty, I just created the two repos in it and these are SQLite files. but continuing using the sugggestion above [tester8@mach5 Documenten.test]$ fossil open testfossil -f project-name: <unnamed> repository: /home/tester8/Documenten.test/testfossil local-root: /home/tester8/Documenten.test/ config-db: /home/tester8/.config/fossil.db project-code: 625324c274456347f877666391c7b2025983ab48 checkout: 3d587b7b01f55e36a1abbe2ab7b72ff7575587d9 2021-07-26 12:25:26 UTC tags: trunk comment: initial empty check-in (user: tester8) check-ins: 1 [tester8@mach5 Documenten.test]$ fossil status testfossil repository: /home/tester8/Documenten.test/testfossil local-root: /home/tester8/Documenten.test/ config-db: /home/tester8/.config/fossil.db checkout: 3d587b7b01f55e36a1abbe2ab7b72ff7575587d9 2021-07-26 12:25:26 UTC tags: trunk comment: initial empty check-in (user: tester8) [tester8@mach5 Documenten.test]$ fossil ui testfoss repository does not exist or is in an unreadable directory: testfoss that is unexpected w.r.t. the previous update procedure, but going on. [tester8@mach5 Documenten.test]$ fossil ui testfossil1 Listening for HTTP requests on TCP port 8080 (firefox:13629): Gtk-WARNING **: 14:45:18.332: Theme parsing error: gtk.css:2:33: Failed to import: Error at oening file /home/tester8/.config/gtk-3.0/window_decorations.css: file or folder does not exist This brings browser to Fossil:Home http://localhost:8080/doc/trunk/www/index.wiki, the contents seems OK be except for a red textt "ERROR: no such command: builtin_request_js" on a second CLI tab [tester8@mach5 Documenten]$ fossil add tutorialredis.txt repository does not exist or is in an unreadable directory: /home/tester8/Documenten/testfossil That is not OK either, the repo has been force-opened before So comitting is not possible here.
CC: (none) => herman.viaene
Not giving up totally $ fossil delete testfossil [tester8@mach5 Documenten.test]$ ls -als totaal 55828 4 drwxrwxr-x 2 tester8 tester8 4096 jul 26 14:46 ./ 4 drwxr-x--- 24 tester8 tester8 4096 jul 26 14:23 ../ 32 -rw-r--r-- 1 tester8 tester8 32768 jul 26 14:40 .fslckout 224 -rw-r--r-- 1 tester8 tester8 229376 jul 26 14:40 testfossil 55564 -rw-r--r-- 1 tester8 tester8 56893440 jul 26 14:46 testfossil1 delete the .fslckout and testfossil manually [tester8@mach5 Documenten.test]$ fossil init testfossil project-id: c1b07ab9f072e52cfcfb3a24068e7197338d9695 server-id: cf5311be68f54a9a6f9f36f5ce1ebe4d81551369 admin-user: tester8 (initial password is "Gy8CarFqxA") [tester8@mach5 Documenten.test]$ fossil open testfossil directory /home/tester8/Documenten.test is not empty use the -f or --force option to override [tester8@mach5 Documenten.test]$ fossil open testfossil -f project-name: <unnamed> repository: /home/tester8/Documenten.test/testfossil local-root: /home/tester8/Documenten.test/ config-db: /home/tester8/.config/fossil.db project-code: c1b07ab9f072e52cfcfb3a24068e7197338d9695 checkout: 59b25ce6ede6d9509fc0c4c79ac7c43fb4237de8 2021-07-26 12:58:54 UTC tags: trunk comment: initial empty check-in (user: tester8) check-ins: 1 copied a text file into the folder and went on [tester8@mach5 Documenten.test]$ fossil add tutorialredis.txt ADDED tutorialredis.txt [tester8@mach5 Documenten.test]$ fossil commit -m "eerste bestand" New_Version: d230d32b6df2e1ca1532def171a95999cb14ac68d902e5f585ea2c7d663097d4 $ fossil ui Listening for HTTP requests on TCP port 8080 (firefox:16796): Gtk-WARNING **: 15:07:55.388: Theme parsing error: gtk.css:2:33: Failed to import: Fout bij het openen van bestand /home/tester8/.config/gtk-3.0/window_decorations.css: Bestand of map bestaat niet This brings browser to Unnamed Fossil ProjectTimeline http://localhost:8081/timeline?c=current showing 2 check-ins occurring around current: the initial heck-in and the one labeled "eerste bestand" Opened a ticket in this site:is acaepted and shown in report list I'd rather have someone else looking into this , I don't feel confident. This is certainly operating as smoothly as in bug 27153
Fedora has issued an advisory for this today (July 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JBTRZ5HCOUTIIKJF3T37NORI4P7EVYCY/ It has been assigned CVE-2021-36377.
Summary: fossil new TLS verification security issue => fossil new TLS verification security issue (CVE-2021-36377)Severity: normal => major
I spent a little time on this and was able to create a repo, add a file, commit the file and look at it in the UI. I didn't get any errors from UI side. $ fossil version This is fossil version 2.14.2 [fb3938ee09] 2021-06-15 01:00:33 UTC I'm going to okay this as it does perform init, add, commit, and checkout functions. it also displays the commits, etc. in the UI.
CC: (none) => brtians1Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0491.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED