Debian has issued an advisory on January 6: https://www.debian.org/security/2022/dsa-5036 I didn't realize it was for the same package. openSUSE has issued an advisory for this today (February 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BGIIYJ6U7AIFKGIYHMGJHVDPJF5AWYOA/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
CC: (none) => java, zen25000
Thanks David, I am not sure what to do with this. Version 2.3.2 is the latest version for which Sphinx have released sources, I have been waiting for this to change, but they are now talking about version 4.x.x and have still not made any 3.x.x sources available, only pre-packaged binaries as far as I can see. I suspect that the fix applies binary patches, which if made for 3.x.x will be useless for 2.3.2. I think that other distros somehow use the upstream binary repository in order to provide the latest package.
It looks like Debian and openSUSE have backported patches. It sounds like the package should probably be dropped in Cauldron.
Glad Barry picked this up; changing you from CC to assignee.
Assignee: bugsquad => zen25000CC: zen25000 => (none)
I have requested access to current sources upstream.
here is the debian patch : https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch
CC: (none) => mageia
sphinx-2.3.2-0.beta.3.1.mga8 has been submitted to core/updates_testing. Advisory #################### Security issue CVE-2020-29050 It was found that sphinx could allow arbitrary files to be read by abusing a configuration option. This has been fixed in this patched update. References ################### https://bugs.mageia.org/show_bug.cgi?id=30076 https://www.debian.org/security/2022/dsa-5036 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BGIIYJ6U7AIFKGIYHMGJHVDPJF5AWYOA/ https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch RPMs affected ################## lib64sphinxclient1-2.3.2-0.beta.3.1.mga8.x86_64.rpm sphinx-java-2.3.2-0.beta.3.1.mga8.x86_64.rpm lib64sphinxclient-devel-2.3.2-0.beta.3.1.mga8.x86_64.rpm sphinx-debugsource-2.3.2-0.beta.3.1.mga8.x86_64.rpm sphinx-2.3.2-0.beta.3.1.mga8.x86_64.rpm sphinx-debuginfo-2.3.2-0.beta.3.1.mga8.x86_64.rpm From sphinx-2.3.2-0.beta.3.1.mga8.src.rpm Testing ################# I have not come across a test for this issue, so I will leave it to QA to decide whether simply checking install is adequate. There is a quick start guide on usage in /usr/share/doc/sphinx/sphinx.html which is installed by the sphinx base package.
Assignee: zen25000 => qa-bugs
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Installed all except debug packages from core into a Vbox guest, then used qarepo to get the updates. No installation issues. This sort of thing is WAY out of my experience, so I am very limited when it comes to testing. I consulted previous updates, and found Bug 10382. That one involved starting the service, which I was able to do successfully: ● sphinx-searchd.service - Sphinx - SQL Full Text Search Engine Loaded: loaded (/usr/lib/systemd/system/sphinx-searchd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2022-03-18 09:48:09 EDT; 35s ago Process: 50601 ExecStart=/usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf (code=exited, status=0/SUCCESS) Main PID: 50604 (sphinx-searchd) Tasks: 8 (limit: 4695) Memory: 5.0M CPU: 92ms CGroup: /system.slice/sphinx-searchd.service ├─50603 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf └─50604 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1': prealloc: failed to open /var/lib/sphinx/test1.sph: No such file or directory; NOT SERVING Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'test1stemmed' Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1stemmed': prealloc: failed to open /var/lib/sphinx/test1stemmed.sph: No such file or directory; NOT SERVING Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: multiple addresses found for 'localhost', using the first one (ip=127.0.0.1) Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'rt' Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Sphinx 2.3.2-id64-beta (???) Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2001-2016, Andrew Aksyonoff Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com) Mar 18 09:48:09 localhost.localdomain systemd[1]: sphinx-searchd.service: Supervising process 50604 which is not our child. We'll most likely not notice when it exits. Mar 18 09:48:09 localhost.localdomain systemd[1]: Started Sphinx - SQL Full Text Search Engine. Bug 25946 was another. The test from that one was more involved, considerably beyond my capabilities. I tried following the quick start guide, but failed at around the second step because I have no clue about what I am trying to do. So, if a clean install and being able to start the service are sufficient, then this is OK.
CC: (none) => andrewsfarm
MGA8-64 Plasmaon Lenovo B50 in Dutch. No installation issues. I wanted to repeat the tests from bug 25946, but therefore I want to use phpmyadmin. The repo has now two versions of this: 5.0.4 and 5.1.2, but both draw in php 8.1.0. In view of the prolems this causes whenn testing further updates of php-8.0.X, I stop here. I will not object TJ to OK this update.
CC: (none) => herman.viaene
Thank you, Herman. Going for it. Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0110.html
Status: NEW => RESOLVEDResolution: (none) => FIXED