All the test is done in bug#32603 but due bug#32609 the bug can't be closed in the traditional way Advisory ======== Upstream released version 3.6.4 to fix CVE-2023-49284. CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. References ========== https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f Files ===== Uploaded to 9/core/updates_testing fish-3.6.4-1.mga9 from fish-3.6.4-1.mga9.src.rpm Uploaded to 8/core/updates_testing fish-3.4.1-1.1.mga8 from fish-3.4.1-1.1.mga8.src.rpm
Whiteboard: (none) => MGA8-64-OK MGA9-64-OK
CC: (none) => marja11
Marja, please use the advisory of bug#32603 in this bug In this way once this bug is marked as validated the packages can be moved
QA Contact: (none) => security
Component: RPM Packages => Security
Summary: fish-shell security issue CVE-2023-4928 II => fish-shell security issue CVE-2023-49284
Now what must do? Close this as duplicate of the original?
*** Bug 32603 has been marked as a duplicate of this bug. ***
CC: (none) => smelror
I have copied 32603.adv to 32614.adv, while adjusting the reference to match this report. It has been uploaded to SVN and 32603.adv has been deleted
Keywords: (none) => advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA8-64-OK MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0344.html
Status: NEW => RESOLVEDResolution: (none) => FIXED