openSUSE has issued an advisory on October 9: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NII5WWMANSN5NYNMNOK7LJ2P5FT7TW5X/
CVE: (none) => CVE-2024-45490, CVE-2024-45491, CVE-2024-45492Source RPM: (none) => mozjs78-78.15.0-8.mga10.src.rpmStatus comment: (none) => Patches available from openSUSEWhiteboard: (none) => MGA9TOO
"Patches available from openSUSE" I could not find them... No evident packager for this, so assigning it globally.
Assignee: bugsquad => pkg-bugs
For Cauldron, mozjs78 cannot build because it does not support python 3.12.
Anyway I committed the patches into SVN also for Cauldron.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. (CVE-2024-45490) An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45491) An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45492) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NII5WWMANSN5NYNMNOK7LJ2P5FT7TW5X/ ======================== Updated packages in core/updates_testing: ======================== lib(64)mozjs78-78.15.0-7.1.mga9 lib(64)mozjs78-devel-78.15.0-7.1.mga9 from SRPM: mozjs78-78.15.0-7.1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: mozjs78-78.15.0-8.mga10.src.rpm => mozjs78-78.15.0-7.mga9.src.rpmWhiteboard: MGA9TOO => (none)Status comment: Patches available from openSUSE => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9
Keywords: (none) => advisory
MGA9-64 MATE on HP-Pavillion No installation issues No previous updates, very little info in google, so tried # urpmq --whatrequires lib64mozjs78 couchdb lib64cjs0 lib64mozjs78 lib64mozjs78-devel not much help, so one step further # urpmq --whatrequires-recursive lib64mozjs78 cinnamon cinnamon-devel-doc cjs couchdb lib64cjs-devel lib64cjs-gir1.0 lib64cjs0 lib64mozjs78 lib64mozjs78-devel nemo-preview task-cinnamon task-cinnamon-devel task-cinnamon-minimal cjs is also related to cinnamon, but I don't feel like installing that desktop (yet?) Installed couchdb, but run into problems there $ couchdb cat: /usr/bin/../releases/start_erl.data: No such file or directory /usr/bin/couchdb: line 49: /usr/bin/../erts-/bin/erlexec: No such file or directory looks like a dependency problem???
CC: (none) => herman.viaene
Took a deap breath and installed task-cinnamon and it dependencies. Logged in again to cinnamon and it seemed to work OK as far as I muddled around in its settings. Got out as quickly as I could since this seemed quite a different beast than the Linux Mint Cinnamon I ran in a VM a couple of years ago. If this is considered a conclusive test, plse go ahead abd OK it, you have my blessing.
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Thank you, Herman. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
It should not be embedding its own copy of expat, which we have in a separate package. Is it a standard version or is it customized?
CC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0338.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
(In reply to Dan Fandrich from comment #8) > It should not be embedding its own copy of expat, which we have in a > separate package. Is it a standard version or is it customized? Indeed, please file a bug for this.
On Cauldron we can remove mozjs78 and couchdb which is the only one who needs it.
CC: (none) => geiger.david68210
Yes, it should be removed.
I've opened bug 33691 on the embedded expat issue.