Debian-LTS has issued an advisory on March 7: https://www.debian.org/lts/security/2022/dla-2934 The issue is fixed upstream in 0.19.4.
Status comment: (none) => Fixed upstream in 0.19.4See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28749CC: (none) => smelror
CC: (none) => fri
Setting to registered packager The update is also good for other reasons
Assignee: bugsquad => yann.cantin
Debian-LTS has issued another advisory for this on August 18: https://www.debian.org/lts/security/2022/dla-3076
Current stable version is 0.20 Flatpak provides 0.20.1 No response from Yann, so I promote smelror as asignee, please reset if you are not interested. I see David G also have packaged it in the past. I will do a quick test when packaged.
Assignee: yann.cantin => smelrorCC: (none) => geiger.david68210, yann.cantin
*** Bug 28749 has been marked as a duplicate of this bug. ***
Suggested advisory: ======================== The updated packages fix a security vulnerability: Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename. (CVE-2021-45844) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45844 https://www.debian.org/lts/security/2022/dla-2934 https://www.debian.org/lts/security/2022/dla-3076 ======================== Updated packages in core/updates_testing: ======================== freecad-0.18.6-1.3.mga8 freecad-data-0.18.6-1.3.mga8 from SRPM: freecad-0.18.6-1.3.mga8.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2021-45844Assignee: smelror => qa-bugsStatus comment: Fixed upstream in 0.19.4 => (none)CC: (none) => nicolas.salguero
Quick test OK Is there build/dep problems to package version 0.20.1 ? It is the current stable. There is no use putting work in packaging and QA if users anyway use alternative methods to easily install and update current version... 20.0.1 is available as both Appimage and flatpak. I have tested both runs om mga8. And their dev version is also available as flatpak, BTW.
Mageia 8 is a stable release. We'll patch things where we can.
Yes... there are small incompatibilities. *) Two sides of this coin: Not surprise our users with new version, and the other is users want to be compatible with other peoples new creations, and tutorials. *) such as https://tracker.freecadweb.org/view.php?id=4448 https://forum.freecadweb.org/viewtopic.php?t=38928 Actually in real life, in cases like this it is much better to update big version steps in a current Mageia - as users then easily can downgrade back. When we force them new program version when they upgrade to next Mageia, they can not as easily go back! Our 0.18.6 is two main version steps behind *stable* https://wiki.freecadweb.org/Release_notes_0.19 https://wiki.freecadweb.org/Release_notes_0.20 *If* we had more manpower we ought to push current software versions to backport, like we actually do for KiCAD. But given low resources, I ponder if we should generally stop packaging big leaf packages like freecad, kicad... and other such progs that our users anyways can install any version they like by other methods we provide anyway. Also Nextcloud comes to mind... - Spare resources to keep system in shape, underlying packages, and that the subystems like flatpak are up to date. But should be discussed at another channel...
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
For future reference, CVE-2021-45845 was also fixed in 0.19.4. 0.18.x (and thus Mageia 8) was not affected: https://www.debian.org/security/2022/dsa-5229
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0325.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED