29688 – hylafax+ regressions due to CVE-2020-15397 fix

Bug 29688 - hylafax+ regressions due to CVE-2020-15397 fix

Summary: hylafax+ regressions due to CVE-2020-15397 fix

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-11-22 23:02 CET by David Walser
Modified:	2021-12-10 23:20 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	hylafax+-7.0.3-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-11-22 23:02:55 CET

openSUSE has issued an advisory on November 21:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XCN4RDNPZFEC7XOGPRWL5FYCRIUMWEFW/

Details from the upstream maintainer:
https://bugzilla.suse.com/show_bug.cgi?id=1191571#c1

Fixes are in 7.0.4 plus the patch added by openSUSE:
https://build.opensuse.org/package/view_file/openSUSE:Backports:SLE-15-SP3:Update/hylafax+/hylafax.diff?expand=1

David Walser 2021-11-22 23:03:13 CET

Status comment: (none) => Fixed upstream in 7.0.4 plus patch from openSUSE
CC: (none) => jani.valimaa

Marja Van Waes 2021-11-23 22:20:11 CET

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 1 Nicolas Salguero 2021-11-24 09:38:49 CET

Suggested advisory:
========================

The updated packages fix regressions due to CVE-2020-15397 fix.

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XCN4RDNPZFEC7XOGPRWL5FYCRIUMWEFW/
========================

Updated packages in core/updates_testing:
========================
hylafax+-7.0.4-1.mga8
hylafax+-client-7.0.4-1.mga8
lib(64)hylafax+7-7.0.4-1.mga8
lib(64)hylafax+-devel-7.0.4-1.mga8

from SRPM:
hylafax+-7.0.4-1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 7.0.4 plus patch from openSUSE => (none)
Assignee: pkg-bugs => qa-bugs

Comment 2 Thomas Andrews 2021-12-09 22:38:50 CET

Tested in VirtualBox. No installation issues. 

Referenced https://bugs.mageia.org/show_bug.cgi?id=26233#c8 for test, as I do not own a device. (Thank you, Herman.)

After running 
# /usr/sbin/faxsetup -server
I checked the status of the service:
# systemctl -l status hylafax-hfaxd.service
● hylafax-hfaxd.service - HylaFAX hfaxd (client service)
     Loaded: loaded (/usr/lib/systemd/system/hylafax-hfaxd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2021-12-09 16:21:33 EST; 6min ago
   Main PID: 74130 (hfaxd)
      Tasks: 1 (limit: 4695)
     Memory: 952.0K
        CPU: 7ms
     CGroup: /system.slice/hylafax-hfaxd.service
             └─74130 /usr/sbin/hfaxd -d -i hylafax

Dec 09 16:21:33 localhost.localdomain systemd[1]: Started HylaFAX hfaxd (client service).
Dec 09 16:21:33 localhost.localdomain HylaFAX[74130]: Listening to 0.0.0.0:4559
Dec 09 16:21:33 localhost.localdomain HylaFAX[74130]: HylaFAX INET Protocol Server: restarted.

Looks OK, as far as this test goes. Further testing, without the proper hardware, is beyond the scope of QA.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2021-12-10 22:00:25 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2021-12-10 23:20:10 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2021-0232.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.