Fedora has issued an advisory on September 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65HAXFJCJPZ47ZQEJJ7OJFJ2IO3QASZP/ The issue is fixed upstream in 1.5.1: https://dev.gajim.org/gajim/gajim/-/blob/master/ChangeLog They updated python-nbxmpp to 3.2.2 as part of this update, so we should in Cauldron as well: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB75YVTGSPOTY7JRCRSDEVW35QSHX4N/ I'm not sure if that's needed to fully fix the CVE. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.5.1Whiteboard: (none) => MGA8TOO
Assigning to the registered maintainer Sander.
Assignee: bugsquad => mageia
Source RPM: gajim-1.4.2-1.mga9.src.rpm => gajim-1.3.3-1.mga8.src.rpmWhiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => nicolas.salguero
After gajim 1.3.3, Python version should be 3.9+, that we don't have in Mageia 8. I didn't identify the commit(s) related to fixing CVE-2022-39835 vulnerability. All that is said is that 1.5.0 fixes the vulnerability. I think we won't fix that.
CC: (none) => yvesbrungard
Mageia 8 EOL
Status: NEW => RESOLVEDResolution: (none) => OLD