openSUSE has issued an advisory today (January 23): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OY3PZTUNJBOAOSBB3625O5WLS7HRY73I/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from upstream and openSUSE
Fedora has issued an advisory on January 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/ There were actually two security issues fixed upstream post-4.0.1.
Summary: upx new security issue CVE-2023-23457 => upx new security issues CVE-2023-2345[67]Status comment: Patches available from upstream and openSUSE => Patches available from upstream and Fedora
Severity: normal => major
Cauldron is already fixed with release 4.0.1 and 2 patches.
CC: (none) => geiger.david68210
You should have filed a bug then.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Assigning to all packagers collectively, because there is no registered maintainer for this package
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Done for mga8! updating to 4.0.2 release.
upx-4.0.2-1.mga8 from upx-4.0.2-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from upstream and Fedora => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 29016 Comment 5 for testing: cd tmp/upxtest/ $ upx --version upx 4.0.2 UCL data compression library 1.03 zlib data compression library 1.2.13.1-motley LZMA SDK version 4.43 doctest C++ testing framework version 2.4.9 Copyright (C) 1996-2023 Markus Franz Xaver Johannes Oberhumer and more..... UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'. $ upx -L Ultimate Packer for eXecutables Copyright (C) 1996 - 2023 UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023 This program may be used freely, and you are welcome to and more .... $ cp /bin/blender . $ ll blender -rwxr-xr-x 1 tester8 tester8 80046904 Feb 14 10:27 blender* $ upx blender Ultimate Packer for eXecutables Copyright (C) 1996 - 2023 UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023 File size Ratio Format Name -------------------- ------ ----------- ----------- 80046904 -> 31067232 38.81% linux/amd64 blender Packed 1 file. $ ll blender -rwxr-xr-x 1 tester8 tester8 31067232 Feb 14 10:27 blender* Definitely smaller size $ upx -d -o blender.clone -f blender Ultimate Packer for eXecutables Copyright (C) 1996 - 2023 UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023 File size Ratio Format Name -------------------- ------ ----------- ----------- [WARNING] bad b_info at 0x1cef6aa [WARNING] ... recovery at 0x1cef6aa 80050472 <- 31067232 38.81% linux/amd64 blender.clone Unpacked 1 file. $ ./blender.clone Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend Blender opened, I could select Video editing, added an mpg file and played it in the View, seems OK $ ./blender Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend Saved session recovery to '/tmp/quit.blend' Blender quit Also opened correcly, select Video editing, added an avi file and played it in the View, seems OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0052.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED