Thanks David,
I am not sure what to do with this.
Version 2.3.2 is the latest version for which Sphinx have released sources, I have been waiting for this to change, but they are now talking about version 4.x.x and have still not made any 3.x.x sources available, only pre-packaged binaries as far as I can see.
I suspect that the fix applies binary patches, which if made for 3.x.x will be useless for 2.3.2. 
I think that other distros somehow use the upstream binary repository in order to provide the latest package.

It looks like Debian and openSUSE have backported patches.  It sounds like the package should probably be dropped in Cauldron.

Glad Barry picked this up; changing you from CC to assignee.

Assignee: bugsquad => zen25000
CC: zen25000 => (none)

I have requested access to current sources upstream.

here is the debian patch :

https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch

CC: (none) => mageia

sphinx-2.3.2-0.beta.3.1.mga8 has been submitted to core/updates_testing.

Advisory
####################
Security issue CVE-2020-29050
It was found that sphinx could allow arbitrary files to be read by abusing a configuration option.
This has been fixed in this patched update.

References
###################
https://bugs.mageia.org/show_bug.cgi?id=30076

https://www.debian.org/security/2022/dsa-5036

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BGIIYJ6U7AIFKGIYHMGJHVDPJF5AWYOA/

https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch

RPMs affected
##################
lib64sphinxclient1-2.3.2-0.beta.3.1.mga8.x86_64.rpm
sphinx-java-2.3.2-0.beta.3.1.mga8.x86_64.rpm
lib64sphinxclient-devel-2.3.2-0.beta.3.1.mga8.x86_64.rpm
sphinx-debugsource-2.3.2-0.beta.3.1.mga8.x86_64.rpm
sphinx-2.3.2-0.beta.3.1.mga8.x86_64.rpm
sphinx-debuginfo-2.3.2-0.beta.3.1.mga8.x86_64.rpm

From
sphinx-2.3.2-0.beta.3.1.mga8.src.rpm

Testing
#################
I have not come across a test for this issue, so I will leave it to QA to decide whether simply checking install is adequate.
There is a quick start guide on usage in /usr/share/doc/sphinx/sphinx.html which is installed by the sphinx base package.

Assignee: zen25000 => qa-bugs

Installed all except debug packages from core into a Vbox guest, then used qarepo to get the updates. No installation issues.

This sort of thing is WAY out of my experience, so I am very limited when it comes to testing. I consulted previous updates, and found Bug 10382. That one involved starting the service, which I was able to do successfully:

● sphinx-searchd.service - Sphinx - SQL Full Text Search Engine
     Loaded: loaded (/usr/lib/systemd/system/sphinx-searchd.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-03-18 09:48:09 EDT; 35s ago
    Process: 50601 ExecStart=/usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf (code=exited, status=0/SUCCESS)
   Main PID: 50604 (sphinx-searchd)
      Tasks: 8 (limit: 4695)
     Memory: 5.0M
        CPU: 92ms
     CGroup: /system.slice/sphinx-searchd.service
             ├─50603 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf
             └─50604 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf

Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1': prealloc: failed to open /var/lib/sphinx/test1.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'test1stemmed'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1stemmed': prealloc: failed to open /var/lib/sphinx/test1stemmed.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: multiple addresses found for 'localhost', using the first one (ip=127.0.0.1)
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'rt'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Sphinx 2.3.2-id64-beta (???)
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2001-2016, Andrew Aksyonoff
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Mar 18 09:48:09 localhost.localdomain systemd[1]: sphinx-searchd.service: Supervising process 50604 which is not our child. We'll most likely not notice when it exits.
Mar 18 09:48:09 localhost.localdomain systemd[1]: Started Sphinx - SQL Full Text Search Engine.


Bug 25946 was another. The test from that one was more involved, considerably beyond my capabilities. I tried following the quick start guide, but failed at around the second step because I have no clue about what I am trying to do.

So, if a clean install and being able to start the service are sufficient, then this is OK.

CC: (none) => andrewsfarm

MGA8-64 Plasmaon Lenovo B50 in Dutch.
No installation issues.
I wanted to repeat the tests from bug 25946, but therefore I want to use phpmyadmin.
The repo has now two versions of this: 5.0.4 and 5.1.2, but both draw in php 8.1.0. In view of the prolems this causes whenn testing further updates of php-8.0.X, I stop here.
I will not object TJ to OK this update.

CC: (none) => herman.viaene

Thank you, Herman. Going for it.

Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0110.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED