Debian has issued an advisory on May 25: https://www.debian.org/security/2022/dsa-5147 The issue is fixed upstream in 1.20.10. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.20.10Whiteboard: (none) => MGA8TOO
Ubuntu has issued an advisory for this today (May 26): https://ubuntu.com/security/notices/USN-5446-1
Severity: normal => major
This looks good to assign to its registered maintainer, bcornec.
Assignee: bugsquad => bruno
1.12.8 pushed to cauldron 1.20.10 not available upstream yet :-(
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8
(In reply to Bruno Cornec from comment #3) > 1.12.8 pushed to cauldron I meant 1.21.8
Debian bullseye already updated to 1.20.10, so you should be able to get a tarball from them.
1.20.10 (now available upstream) has been pushed to mga8 updates_testing
CC: (none) => brunoAssignee: bruno => qa-bugs
dpkg-dev-1.20.10-1.mga8 dselect-1.20.10-1.mga8 dpkg-devel-1.20.10-1.mga8 perl-Dpkg-1.20.10-1.mga8 dpkg-1.20.10-1.mga8 from dpkg-1.20.10-1.mga8.src.rpm
Status comment: Fixed upstream in 1.20.10 => (none)
This was silently rebuilt. Package list is now: dpkg-dev-1.20.10-2.mga8 dselect-1.20.10-2.mga8 perl-Dpkg-1.20.10-2.mga8 dpkg-devel-1.20.10-2.mga8 dpkg-1.20.10-2.mga8 from dpkg-1.20.10-2.mga8.src.rpm
mga8, x64 Attempt at updating after qarepo downloads: The following package has to be removed for others to be upgraded: dpkg-dev-1.20.5-4.mga8.noarch (due to unsatisfied dpkg-perl == 1.20.5-4.mga8) yes Sorry, the following package cannot be selected: - dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1(LIBSELINUX_1.0)) Proceeded without dpkg-dev. Tried a manual update: $ sudo urpmi *.rpm Packages perl-Dpkg-1.20.10-2.mga8.noarch, dpkg-1.20.10-2.mga8.x86_64, dselect-1.20.10-2.mga8.x86_64, dpkg-devel-1.20.10-2.mga8.x86_64 are already installed A requested package cannot be installed: dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1) Continue installation anyway? (Y/n) Marking dpkg as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list While some packages may have been installed, there were failures. A requested package cannot be installed: dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1) Continue installation anyway? $ rpm -qa | grep -i dpkg dpkg-devel-1.20.10-2.mga8 perl-Dpkg-1.20.10-2.mga8 dpkg-1.20.10-2.mga8 $ rpm -qa | grep dselect dselect-1.20.10-2.mga8 $ rpm -q dpkg-dev package dpkg-dev is not installed $ rpm -q libselinux libselinux-3.2-0.rc1.4.mga8 What to do now?
Keywords: (none) => feedbackCC: (none) => tarazed25
SUSE has issued an advisory for this on August 5: https://lists.suse.com/pipermail/sle-security-updates/2022-August/011813.html Bruno, Len's issue in Comment 9 is because dpkg-dev is a noarch package linked to an arch'd library. Looks like either it should not be noarch, or it contains an arch'd file that should be in a different subpackage.
Keywords: feedback => (none)Assignee: qa-bugs => bruno
Thx David for the warning. i've now uploaded the following: dpkg-dev-1.20.10-3.mga8 dselect-1.20.10-3.mga8 perl-Dpkg-1.20.10-3.mga8 dpkg-devel-1.20.10-3.mga8 dpkg-1.20.10-3.mga8 from dpkg-1.20.10-3.mga8.src.rpm It is fixing the reported issue by Len on my system.
Thanks.
Assignee: bruno => qa-bugs
MGA8-64 Plasma on Acer Aspire 5253 No installation issues Ref bug 23411 for testing. # dpkg --version Debian 'dpkg' package management program version 1.20.10 (amd64). This is free software; see the GNU General Public License version 2 or later for copying conditions. There is NO warranty. # dpkg --print-architecture amd64 Downloaded stable debian package for bash, then # dpkg -c bash_5.1-2+deb11u1_amd64.deb drwxr-xr-x root/root 0 2022-03-27 20:40 ./ drwxr-xr-x root/root 0 2022-03-27 20:40 ./bin/ -rwxr-xr-x root/root 1234376 2022-03-27 20:40 ./bin/bash drwxr-xr-x root/root 0 2022-03-27 20:40 ./etc/ -rw-r--r-- root/root 1994 2022-03-27 20:40 ./etc/bash.bashrc drwxr-xr-x root/root 0 2022-03-27 20:40 ./etc/skel/ -rw-r--r-- root/root 220 2022-03-27 20:40 ./etc/skel/.bash_logout -rw-r--r-- root/root 3526 2022-03-27 20:40 ./etc/skel/.bashrc -rw-r--r-- root/root 807 2022-03-27 20:40 ./etc/skel/.profile drwxr-xr-x root/root 0 2022-03-27 20:40 ./usr/ drwxr-xr-x root/root 0 2022-03-27 20:40 ./usr/bin/ -rwxr-xr-x root/root 6759 2022-03-27 20:40 ./usr/bin/bashbug -rwxr-xr-x root/root 14648 2022-03-27 20:40 ./usr/bin/clear_console and a load more.... dpkg -x bash_5.1-2+deb11u1_amd64.deb /home/tester8/tmp/ checked that above files have been created in the correct folders under /home/tester8/tmp/: all OK. I couldn't get my headaround Len's test with coapp, so leaving it. I will not object someone else OK'ing this.
CC: (none) => herman.viaene
As no objections have been forthcoming, I'm giving this an OK based on the test in Comment 13. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0327.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED