RedHat has issued an advisory today (June 20): https://rhn.redhat.com/errata/RHSA-2012-0958.html Mageia 1 and Mageia 2 are also affected.
CC: (none) => doktor5000Whiteboard: (none) => MGA2TOO, MGA1TOO
They didn't do a new release, but added 60 patches :/ http://pkgs.fedoraproject.org/gitweb/?p=sos.git;a=commitdiff;h=13178ca5faa95adb05ac3c93a5c99ea0c7db6d4a#patch63 Assigning to current maintainer.
Assignee: bugsquad => bruno
As the real security issue is linked to anaconda that Mageia doesn't use, I don't think we have anything forcing us to take these 60 patches in account atm. Once they release a new version, we'll update to it. Does that sound ok ?
Priority: Normal => LowSeverity: normal => minor
In theory, sure. It's just weird that they didn't already do a new version. Are they the upstream maintainers, or is there someone else? Is it maintained at all?
CC: (none) => oe
Project moved a while ago from https://fedorahosted.org/sos/ to https://github.com/sosreport/sosreport FWIW ...
See https://github.com/gkotton/sosreport/commit/a4a7942531a2034b2408422f10587190e2e9bdc1 for (what I believe to be) the fix to this problem
CC: (none) => remco
So, seeing how Mageia does not ship anaconda, I think this does not apply to us. @luigi: Are you ok with removing this as a security bug? @bruno: I guess that only leaves to change the URL for the source in the package then to the new project home, right?
URL: http://lwn.net/Vulnerabilities/502714/ => (none)Component: Security => RPM PackagesWhiteboard: MGA2TOO, MGA1TOO => (none)
If this doesn't impact us, you can mark the bug as WONTFIX.
If we're not vulnerable, what about having a statement of such on the wiki update pages so it doesn't appear we have just not looked in to it. The MGASA ones.
CC: (none) => tmb
@MrsB: I don't think one can search our pages by CVE, and I don't think we should issue a MGASA when there is no advisory. Hopefully people searching for this CVE for Mageia will end up on this bugreport instead and see we are not affected by this. Closing as INVALID for now as this issue does not affect Mageia.
Status: NEW => RESOLVEDResolution: (none) => INVALID