Debian has issued an advisory on January 6:
I didn't realize it was for the same package.
openSUSE has issued an advisory for this today (February 21):
Mageia 8 is also affected.
I am not sure what to do with this.
Version 2.3.2 is the latest version for which Sphinx have released sources, I have been waiting for this to change, but they are now talking about version 4.x.x and have still not made any 3.x.x sources available, only pre-packaged binaries as far as I can see.
I suspect that the fix applies binary patches, which if made for 3.x.x will be useless for 2.3.2.
I think that other distros somehow use the upstream binary repository in order to provide the latest package.
It looks like Debian and openSUSE have backported patches. It sounds like the package should probably be dropped in Cauldron.
Glad Barry picked this up; changing you from CC to assignee.
I have requested access to current sources upstream.
here is the debian patch :
sphinx-2.3.2-0.beta.3.1.mga8 has been submitted to core/updates_testing.
Security issue CVE-2020-29050
It was found that sphinx could allow arbitrary files to be read by abusing a configuration option.
This has been fixed in this patched update.
I have not come across a test for this issue, so I will leave it to QA to decide whether simply checking install is adequate.
There is a quick start guide on usage in /usr/share/doc/sphinx/sphinx.html which is installed by the sphinx base package.
Installed all except debug packages from core into a Vbox guest, then used qarepo to get the updates. No installation issues.
This sort of thing is WAY out of my experience, so I am very limited when it comes to testing. I consulted previous updates, and found Bug 10382. That one involved starting the service, which I was able to do successfully:
● sphinx-searchd.service - Sphinx - SQL Full Text Search Engine
Loaded: loaded (/usr/lib/systemd/system/sphinx-searchd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2022-03-18 09:48:09 EDT; 35s ago
Process: 50601 ExecStart=/usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf (code=exited, status=0/SUCCESS)
Main PID: 50604 (sphinx-searchd)
Tasks: 8 (limit: 4695)
├─50603 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf
└─50604 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: WARNING: index 'test1': prealloc: failed to open /var/lib/sphinx/test1.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: precaching index 'test1stemmed'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: WARNING: index 'test1stemmed': prealloc: failed to open /var/lib/sphinx/test1stemmed.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: WARNING: multiple addresses found for 'localhost', using the first one (ip=127.0.0.1)
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: precaching index 'rt'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: Sphinx 2.3.2-id64-beta (???)
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: Copyright (c) 2001-2016, Andrew Aksyonoff
Mar 18 09:48:09 localhost.localdomain sphinx-searchd: Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Mar 18 09:48:09 localhost.localdomain systemd: sphinx-searchd.service: Supervising process 50604 which is not our child. We'll most likely not notice when it exits.
Mar 18 09:48:09 localhost.localdomain systemd: Started Sphinx - SQL Full Text Search Engine.
Bug 25946 was another. The test from that one was more involved, considerably beyond my capabilities. I tried following the quick start guide, but failed at around the second step because I have no clue about what I am trying to do.
So, if a clean install and being able to start the service are sufficient, then this is OK.
MGA8-64 Plasmaon Lenovo B50 in Dutch.
No installation issues.
I wanted to repeat the tests from bug 25946, but therefore I want to use phpmyadmin.
The repo has now two versions of this: 5.0.4 and 5.1.2, but both draw in php 8.1.0. In view of the prolems this causes whenn testing further updates of php-8.0.X, I stop here.
I will not object TJ to OK this update.
Thank you, Herman. Going for it.
Validating. Advisory in Comment 6.
An update for this issue has been pushed to the Mageia Updates repository.