SuSE has issued this advisory today (May 10): http://lists.opensuse.org/opensuse-updates/2012-05/msg00013.html From the discussion in the bug: https://bugzilla.novell.com/show_bug.cgi?id=758431 It sounds like this is a packaging/configuration issue as much as it is a problem with libsoup, so I don't know if we are affected by this or not. The bug also says the issue is no longer present with libsoup 2.38, so Cauldron is definitely not affected.
CC: (none) => fundawang
CC: (none) => olav
CC: (none) => dmorganec
CC: (none) => jani.valimaa
Funda Wang uploaded a patched package. I'll give CC'd packagers time to comment before assigning to QA. Advisory: ======================== Updated libsoup packages fix security vulnerability: libsoup considered all ssl connections as trusted even if no CA certificates were configured (CVE-2012-2132). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2132 http://lists.opensuse.org/opensuse-updates/2012-05/msg00013.html ======================== Updated packages in core/updates_testing: ======================== libsoup-2.4_1-2.32.2-4.2.mga1 libsoup-2.4-devel-2.32.2-4.2.mga1 from libsoup-2.32.2-4.2.mga1.src.rpm
Assigning to QA now. Advisory and SRPM in Comment 1.
Assignee: bugsquad => qa-bugs
Testing x86_64 urpmq --whatrequires lib64soup-2.4_1 Shows a long list. Tested under strace with liferea and midori grep showed them loading /usr/lib64/libsoup2.4.so.1 No noticeable regressions. Testing complete x86_64 As a matter of interest, I notice mga2 has libsoup2.4_1 where mga1 has libsoup-2.4_1. mga2 has no dash. Is this intentional and properly obsoleted?
Whiteboard: (none) => mga1-64-OK
(In reply to comment #3) > As a matter of interest, I notice mga2 has libsoup2.4_1 where mga1 has > libsoup-2.4_1. mga2 has no dash. Is this intentional and properly obsoleted? Nice catch. It appears it is: $ rpm -qp --obsoletes /home/linux/mageia/distrib/2/i586/media/core/release/libsoup2.4_1-2.38.1-1.mga2.i586.rpm libsoup-2.4_1 < 2.38.1
Thanks for checking David.
testing i586
CC: (none) => stormi
I checked same way as in comment #3 It does not make sure that libsoup performs well because those applications might not use the lib for most operations. Let's validate this one because I'm quite confident it will not regress, but if someone has an idea to better test this lib (ie make sure SOAP requests are done by the software we are testing, or a simple program that uses libsoup and tests basic operations), please tell!
Whiteboard: mga1-64-OK => mga1-64-OK mga1-32-OK
Update validated. see comment #1 for advisory and list of packages.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0126
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED