OpenSuSE has issued an advisory today (November 28): http://lists.opensuse.org/opensuse-updates/2012-11/msg00087.html It fixes a new issue, CVE-2012-5534, which they have a patch for. Upstream shows this as fixed in 0.3.9.2 (so Cauldron is affected). http://www.weechat.org/security/
Whiteboard: (none) => MGA2TOO
Fedora has issued an advisory for this on November 20: http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093495.html The RedHat bug also has a link to the upstream change that fixes this: https://bugzilla.redhat.com/show_bug.cgi?id=878025
Here's a patch link in Fedora git: http://pkgs.fedoraproject.org/cgit/weechat.git/plain/weechat-fix-1.patch?id=6b064ab9c72f4501e0d84c26d4c4e5a9b8423e46
Updated package uploaded for Cauldron by Funda. Patched package uploaded for Mageia 1 and Mageia 2 by Funda. Thanks Funda! Advisory: ======================== Updated weechat packages fix security vulnerability: Untrusted command for function hook_process in WeeChat before 0.3.9.2 could lead to execution of commands, because of shell expansions (so the problem is only caused by some scripts, not by WeeChat itself) (CVE-2012-5534). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5534 https://savannah.nongnu.org/bugs/?37764 http://www.weechat.org/security/ http://lists.opensuse.org/opensuse-updates/2012-11/msg00087.html ======================== Updated packages in core/updates_testing: ======================== weechat-0.3.0-1.1.mga1 weechat-perl-0.3.0-1.1.mga1 weechat-python-0.3.0-1.1.mga1 weechat-tcl-0.3.0-1.1.mga1 weechat-ruby-0.3.0-1.1.mga1 weechat-lua-0.3.0-1.1.mga1 weechat-charset-0.3.0-1.1.mga1 weechat-aspell-0.3.0-1.1.mga1 weechat-devel-0.3.0-1.1.mga1 weechat-0.3.6-3.2.mga2 weechat-perl-0.3.6-3.2.mga2 weechat-python-0.3.6-3.2.mga2 weechat-tcl-0.3.6-3.2.mga2 weechat-ruby-0.3.6-3.2.mga2 weechat-lua-0.3.6-3.2.mga2 weechat-charset-0.3.6-3.2.mga2 weechat-aspell-0.3.6-3.2.mga2 weechat-devel-0.3.6-3.2.mga2 from SRPMS: weechat-0.3.0-1.1.mga1.src.rpm weechat-0.3.6-3.2.mga2.src.rpm
CC: (none) => fundawangVersion: Cauldron => 2Assignee: fundawang => qa-bugsWhiteboard: MGA2TOO => MGA1TOO
No PoC so just testing the basics Procedure: https://bugs.mageia.org/show_bug.cgi?id=8044#c6
Whiteboard: MGA1TOO => MGA1TOO has_procedure
Testing complete Mga1 32 & 64 and Mga2 64
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK
Testing complete mga2 32 Validating Advisory & srpms for Mageia 1 & 2 in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0347
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED