RedHat has issued an advisory today (November 13): https://rhn.redhat.com/errata/RHSA-2012-1459.html Mageia 2 and Cauldron should be affected, as they contain the same version as RHEL6. It is not clear if Mageia 1 is affected. The upstream commit to fix this is linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=715384
Whiteboard: (none) => MGA2TOO, MGA1TOO
Keywords: (none) => Junior_job
The fixed code is already present in 1.4.4, which RedHat upgraded to from 1.3.0. Mageia 2 and Cauldron are therefore unaffected. 1.3.0 fails to build with the upstream patch applied, so I guess we should just upgrade Mageia 1 to 1.4.4 as well.
Keywords: Junior_job => (none)Version: Cauldron => 1Whiteboard: MGA2TOO, MGA1TOO => (none)
Updated package uploaded for Mageia 1. Advisory: ======================== Updated nspluginwrapper package fixes security vulnerability: It was not possible for plug-ins wrapped by nspluginwrapper to discover whether the browser was running in Private Browsing mode. This flaw could lead to plug-ins wrapped by nspluginwrapper using normal mode while they were expected to run in Private Browsing mode (CVE-2011-2486). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486 https://rhn.redhat.com/errata/RHSA-2012-1459.html ======================== Updated packages in core/updates_testing: ======================== nspluginwrapper-1.4.4-1.mga1 from nspluginwrapper-1.4.4-1.mga1.src.rpm
CC: (none) => thierry.vignaudAssignee: thierry.vignaud => qa-bugsSource RPM: nspluginwrapper-1.4.4-4.mga3.src.rpm => nspluginwrapper-1.3.0-7.mga1.src.rpm
Testing complete on Mageia 1. For testing, on x86-64, I installed the old version, created the directory /usr/lib/mozilla/plugins, installed adobe reader, ran /opt/Adobe/Reader9/Browser/install_browser_plugin -global and then ran # nspluginwrapper -i /usr/lib/mozilla/plugins/nppdf.so Confirmed firefox could view a pdf file using the plugin, installed the update, and confirmed it still works. For i586, just confirmed the package installed cleanly, since it's of no real use on a 32 bit system. Could someone from the sysadmin team push the srpm nspluginwrapper-1.4.4-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated nspluginwrapper package fixes security vulnerability: It was not possible for plug-ins wrapped by nspluginwrapper to discover whether the browser was running in Private Browsing mode. This flaw could lead to plug-ins wrapped by nspluginwrapper using normal mode while they were expected to run in Private Browsing mode (CVE-2011-2486). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486 https://rhn.redhat.com/errata/RHSA-2012-1459.html https://bugs.mageia.org/show_bug.cgi?id=8071
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0336
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED