Bug 32896 - Update mga9 to sympa 6.2.72 to fix CVE-2021-32850
Summary: Update mga9 to sympa 6.2.72 to fix CVE-2021-32850
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-02-26 11:23 CET by Bruno Cornec
Modified: 2024-02-29 18:42 CET (History)
3 users (show)

See Also:
Source RPM: sympa-6.2.70-1.mga9.src.rpm
CVE: CVE-2021-32850
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bruno Cornec 2024-02-26 11:23:02 CET 
Description of problem:

Mageia9 should be updated to provide Sympa 6.2.72 which fixes many bugs, including the security one related in CVE-2021-32850
Comment 1 Bruno Cornec 2024-02-26 11:28:12 CET 
sympa-6.2.72-1.mga9.src.rpm provided in updates_testing with the generated packages:
RPMS/x86_64/sympa-6.2.72-1.mga9.x86_64.rpm              
RPMS/x86_64/sympa-postgresql-6.2.72-1.mga9.x86_64.rpm
RPMS/x86_64/sympa-www-6.2.72-1.mga9.x86_64.rpm
RPMS/x86_64/sympa-mysql-6.2.72-1.mga9.x86_64.rpm

I've run that in production on MGA8 for more than 6 months now and I'm updating my prod server to mga9 thus this update !

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

katnatek 2024-02-26 21:09:35 CET

Component: RPM Packages => Security
CVE: (none) => CVE-2021-32850
QA Contact: (none) => security

katnatek 2024-02-26 21:15:36 CET

CC: (none) => andrewsfarm

katnatek 2024-02-26 21:15:46 CET

Keywords: (none) => advisory

Comment 2 Thomas Andrews 2024-02-27 16:12:00 CET 
MGA9 Plasma in VirtualBox. Installed the current packages and dependencies, then updated using qarepo. No installation issues.

The last two updates to sympa, bug 23536 and bug 26308, were OKed on the basis of a clean install, even though the tester was unable to get it running. As written in bug 23536 comment 10, "Sympa web interface may be quite difficult to setup for someone not familiar with configuring a web server manually."

So, taking comment 1 as confirmation that this version works in Mageia 8, QA efforts mostly need to confirm that the update has that clean install in Mageia 9.

So, giving this an OK, and validating. Bruno, if there are any issues with this in Mageia 9, it will be up to you to identify them and open another bug if necessary.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Bruno Cornec 2024-02-27 16:35:36 CET 
(In reply to Thomas Andrews from comment #2)
> So, giving this an OK, and validating. Bruno, if there are any issues with
> this in Mageia 9, it will be up to you to identify them and open another bug
> if necessary.

Thanks, that's fine with me.
Comment 4 Dan Fandrich 2024-02-28 06:19:25 CET 
I think it's worthwhile mentioning in the release advisory that running "sympa upgrade" manually will be necessary for this update. Probably every Sympa sysadmin already knows this, but not all do.

CC: (none) => dan

Comment 5 katnatek 2024-02-28 18:57:46 CET 
(In reply to Dan Fandrich from comment #4)
> I think it's worthwhile mentioning in the release advisory that running
> "sympa upgrade" manually will be necessary for this update. Probably every
> Sympa sysadmin already knows this, but not all do.

Not in the advisory, but perhaps in a README.install.urpmi file?
What you think Bruno?

Keywords: validated_update => feedback

Comment 6 David Walser 2024-02-28 23:07:29 CET 
Yes it should be in the advisory.  A README.update.urpmi (not install) is a good idea too.
Comment 7 Bruno Cornec 2024-02-29 01:55:35 CET 
(In reply to katnatek from comment #5)
> (In reply to Dan Fandrich from comment #4)
> > I think it's worthwhile mentioning in the release advisory that running
> > "sympa upgrade" manually will be necessary for this update. Probably every
> > Sympa sysadmin already knows this, but not all do.
> 
> Not in the advisory, but perhaps in a README.install.urpmi file?
> What you think Bruno?

Yes would be a good idea.
BTW I don't know why it's not recommended on https://wiki.mageia.org/en/Construire_des_paquetages_RPM-fr 

sympa-6.2.72-4 is now on its way for both cauldron and mga9 with this addition.
Comment 8 katnatek 2024-02-29 02:44:09 CET 
(In reply to Bruno Cornec from comment #7)
> (In reply to katnatek from comment #5)
> > (In reply to Dan Fandrich from comment #4)
> > > I think it's worthwhile mentioning in the release advisory that running
> > > "sympa upgrade" manually will be necessary for this update. Probably every
> > > Sympa sysadmin already knows this, but not all do.
> > 
> > Not in the advisory, but perhaps in a README.install.urpmi file?
> > What you think Bruno?
> 
> Yes would be a good idea.
> BTW I don't know why it's not recommended on
> https://wiki.mageia.org/en/Construire_des_paquetages_RPM-fr 
https://wiki.mageia.org/en/Construire_des_paquetages_RPM-fr#Interaction_avec_urpmi_et_rpmdrake

> 
> sympa-6.2.72-4 is now on its way for both cauldron and mga9 with this
> addition.

Thank you
Comment 9 katnatek 2024-02-29 05:41:51 CET 
Real Hardware Mageia 8 x86_64
Basic test of update from current version
See the warning about sympa upgrade

Advisory Updated
Validating again

Keywords: feedback => validated_update

Comment 10 katnatek 2024-02-29 05:45:38 CET 
(In reply to katnatek from comment #9)
> Real Hardware Mageia 8 x86_64
Of course, I mean Mageia 9 :facepalm:
Comment 11 Mageia Robot 2024-02-29 18:42:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0052.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.