Ubuntu has issued an advisory on September 21: https://ubuntu.com/security/notices/USN-6395-1 Fixed by: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/521525948eed85cc27c0796a0b9569d161df81ba Fixed by: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/671df28a509ae208e158976f0855d91fdbea16a1 Mageia 9 is also affected but Mageia 8 is not.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA9TOOSource RPM: (none) => gnome-shell-44.2-1.mga9.src.rpm
Various packagers have dealt with this SRPM, so assigning to Gnome group.
Assignee: bugsquad => gnome
Suggested advisory: ======================== The updated packages fix a security vulnerability: GNOME Shell's lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool. (CVE-2023-43090) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43090 https://ubuntu.com/security/notices/USN-6395-1 ======================== Updated packages in core/updates_testing: ======================== gnome-shell-44.2-1.1.mga9 gnome-shell-api_doc-44.2-1.1.mga9 from SRPM: gnome-shell-44.2-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Assignee: gnome => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9
Why use an old version?
CC: (none) => xerxes2
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
(In reply to Jens Persson from comment #3) > Why use an old version? https://wiki.mageia.org/en/Updates_policy#Version_Policy
(In reply to Marja Van Waes from comment #5) > (In reply to Jens Persson from comment #3) > > Why use an old version? > > https://wiki.mageia.org/en/Updates_policy#Version_Policy Yeah that is what I meant. Plenty of bug fix releases out already. Latest is 44.6 I think. https://download.gnome.org/sources/gnome-shell/44/
Updated with QA repo and RPM: gnome-shell-44.2-1.1.mga9 No issues after reboot. I can connect my user and lock/unlock my session without problem.
CC: (none) => guillaume.royer
MGA9-64, GNOME The following package is going to be installed: - gnome-shell-44.2-1.1.mga9.x86_64 0B of additional disk space will be used. 1.7MB of packages will be retrieved. -- rebooted spent most of a day with it. No issues and screenlocks working as expected.
Whiteboard: (none) => MGA9-64-OKCC: (none) => brtians1
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
@Jens: If you believe we should update all of Gnome, then by all means file a bug on the subject and debate it there. But in the meantime, we shouldn't hold this security patch back for it.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0311.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED