Am I correct in understanding that testing this will require access to
a Novel Netware server?

CC: (none) => davidwhodgins

(In reply to comment #1)
> Am I correct in understanding that testing this will require access to
> a Novel Netware server?

Unless there's some way to emulate Netware file sharing on Linux, I believe so.

I actually used ncpfs 10 years ago to access my student folder at the university I was at, back when the whole state government used Netware.  I don't know if anybody still uses it now.

I'm not sure how QA is really supposed to test this.  I suppose you could ask on the mageia-discuss list if anyone still uses this, but I'd be surprised to find anyone.

I'll ask on the general discussion list, and the usenet newsgroup.

If we don't get anyone with access to a netware server to help testing,
within a few days, the only testing we can do, is to ensure the packages
install without errors, and will the update will be validated based on
that.

If someone can confirm the update installs ok on x86-64, I think we should go
ahead and validate this one.

I'd rather have a user get a possibly broken update, then to leave them
with a known insecure system.

I'll also suggest obsoleting this package for Mageia 3, unless we have
a user of Novell Netware, who is willing to help with future qa testing
of the ncpfs package.

Tested x86_64 MGA2

Installed from release then installed the update candidate. It seems to have a versioned require on the lib as that was pulled in too. Tried a few commands from

$ urpmf ncpfs | grep bin
$ urpmf ipxutils | grep bin

but without any success. ipxdump <number> seemed to listen. Others complained of unknown user. Tested a few with --help or -h and they were able to produce their very limited help.

I agree with you Dave that without the proper equipment we can do little more to test this. Unless there are users willing to test then very basic checks are all we can do.

I'll check mga1 later

Whiteboard: (none) => mga2-64-OK

Tested in the same way mga1 x86_64 with the same results.

If you've completed i586 Dave we can validate these two.

Whiteboard: mga2-64-OK => mga2-64-OK, mga1-64-OK

Validating the update.

Could someone from the sysadmin team push the Mageia 2 srpm
ncpfs-2.2.6-11.1.mga2.src.rpm
from Core Updates Testing to Core updates, and the Mageia 1 srpm
ncpfs-2.2.6-11.1.mga1.src.rpm
from Core Updates Testing to Core updates.

Advisory: Updated ncpfs packages fix security vulnerabilities:

ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to
the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp
file without first checking whether resource limits would interfere,
which allows local users to trigger corruption of the /etc/mtab file
via a process with a small RLIMIT_FSIZE value, a related issue to
CVE-2011-1089 (CVE-2011-1679).

ncpmount in ncpfs 2.2.6 and earlier does not remove the /etc/mtab~
lock file after a failed attempt to add a mount entry, which has
unspecified impact and local attack vectors (CVE-2011-1680).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1680
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:084

https://bugs.mageia.org/show_bug.cgi?id=6153

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0112

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED