openSUSE has issued an advisory on December 4: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/ Mageia 8 is also affected.
The issue is apparently fixed upstream in a newer version. I don't quite understand their versioning with the +'s sometimes in them, but the newest upstream version should have the fix.
Whiteboard: (none) => MGA8TOO
A rare package in wally's court, so assigning to you.
Status comment: (none) => newest upstream version should have the fixAssignee: bugsquad => jani.valimaa
Suggested advisory: ======================== The updated package fixes a security vulnerability: A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node. (CVE-2022-35133) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/ ======================== Updated package in core/updates_testing: ======================== cherrytree-1.0.4-1.mga9 from SRPM: cherrytree-1.0.4-1.mga9.src.rpm
Assignee: jani.valimaa => qa-bugsWhiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: newest upstream version should have the fix => (none)CVE: (none) => CVE-2022-35133CC: (none) => nicolas.salguero
Keywords: (none) => advisory
MGA9-64 Plasma, i5-7500, nvidia Quadro K620 graphics. Installed cherrytree and dependencies, ran it just long enough to see the GUI come up, then got the update with no installation issues. No previous updates, and I'm completely unfamiliar with this application, so I sought guidance on the Web, finding a couple of introductory videos on Youtube. Armed with this vas new knowledge, I opened Cherrytree and played around, creating a node and subnodes, customizing them with different colors, adding a note or two, saving it in xml format, loading it back again(I did have to tell Plasma it was a tool for using xml files), exporting to pdf, and printing a copy. Everything worked, with no issues. This looks good to go. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0074.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED