Bug 31237 - xfce4-settings new security issue CVE-2022-45062
Summary: xfce4-settings new security issue CVE-2022-45062
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-12-07 18:12 CET by David Walser
Modified: 2022-12-17 19:49 CET (History)
5 users (show)

See Also:
Source RPM: xfce4-settings-4.16.0-2.mga8.src.rpm
Status comment:


Description David Walser 2022-12-07 18:12:13 CET
Debian has issued an advisory on December 6:

The issue is fixed upstream in 4.16.4.
David Walser 2022-12-07 18:12:46 CET

Status comment: (none) => Fixed upstream in 4.16.4

Comment 1 Lewis Smith 2022-12-07 20:51:24 CET
I see in Cauldron 4.16.3, 4.17.0 & 1.
This is package is with Jani.

Assignee: bugsquad => jani.valimaa

Comment 2 David Walser 2022-12-12 16:56:33 CET
Fedora has issued an advisory for this on December 10:

Severity: normal => major

Comment 3 Jani Välimaa 2022-12-17 08:14:25 CET
Pushed xfce4-settings-4.16.0-2.1.mga8 to core/updates_testing with a patch from upstream. Please test.


CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 4 Herman Viaene 2022-12-17 12:11:52 CET
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
No wiki, no previous updates, so launched xfce4-settings-manager and got warnings on the CLI, but apparently nothing that really matters.
Jumped around on file manager settings, desktop, notifications, keyboard, power manager, pulse audio, session and startup, making a few changes to my own liking, all seems to work OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

David Walser 2022-12-17 16:21:27 CET

Status comment: Fixed upstream in 4.16.4 => (none)

Comment 5 Thomas Andrews 2022-12-17 16:43:16 CET

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Dave Hodgins 2022-12-17 17:41:37 CET
Testing in xfce
Before installing the update
xdg-open 'http://example.org" --private-window"'
opens a http://example.org/ in firefox and opens a private window with no
After installing the update it only opens a normal window with no url.

Testing in plasma with xfce-minimal also installed.
It opens firefox trying to load https://www.xdg-open.com/
Same after the update is installed.

running xdg-open "https://www.mageia.org/en/" does work as expected.

CC: (none) => davidwhodgins

Comment 7 Dave Hodgins 2022-12-17 17:48:17 CET
Advisory committed to svn

Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-12-17 19:49:33 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.