Um, this is more than a CVE fix... it's also a version bump from 3.4.1 to 3.4.2

CC: (none) => tmb

That's what was in SVN.  You know why.

Yes, I know... 

but svn Changes can Always be reverted in order to provide safe updates, so we need to be careful with all gtk and gnome stuff in mga2 updates...

anyway we can see how it goes, but QA need to be extra careful with this mess...

Yes, thanks for pointing it out.  It really *shouldn't* cause issues with this or any other package that might need to be updated, but as any changes will be more than just our security or bugfixes, but also the upstream ones from the updated version, more careful testing would be required.

$ urpmq --whatrequires gnome-online-accounts
gnome-online-accounts

Is it actually used?  Any suggestions for testing?

CC: (none) => davidwhodgins

There is some info here but I haven't looked at it yet to see how to test this

http://developer.gnome.org/goa/stable/

Reading here: https://live.gnome.org/GnomeOnlineAccounts

"GOA provides a centralized service that allows a set of online accounts to be configured for use with core GNOME applications. In UX terms, GOA provides a static list of online accounts that can be setup by users (through the Online Accounts panel in System Settings). These accounts can then be used by core GNOME applications. "

So configuring/connecting to accounts in gnome settings should be enough to test

Whiteboard: (none) => has_procedure

Testing complete mga2 64

Confirmed I can configure windows live and google accounts in Gnome. 
Empathy can also use that account information.

They fail to connect as it thinks there is no network connection, which I think is probably something to do with networkmanager not managing the network connection. Unrelated to GOA though.

Whiteboard: has_procedure => has_procedure mga2-64-ok

Checking GOA on mga2 32.  One thing I've noted, there are icons for multiple other account options (yahoo, twitter, facebook, etc.) but when attempting to configure, the only options available are google and windows live. Should we be able to configure the others some way?

CC: (none) => wrw105

(In reply to Bill Wilkinson from comment #9)
> Checking GOA on mga2 32.  One thing I've noted, there are icons for multiple
> other account options (yahoo, twitter, facebook, etc.) but when attempting
> to configure, the only options available are google and windows live. Should
> we be able to configure the others some way?

I don't know if they should be available or not, but I've checked
that the prior version has the same behavior, so if it is a bug,
it's not a regression.  Please open a new bug report if you think
the other services should be available as options.

Validating the update.

Could someone from the sysadmin team push the srpm
gnome-online-accounts-3.4.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated gnome-online-accounts packages fix security vulnerability:

It was found that Gnome Online Accounts (GOA) did not perform SSL certificate
validation, when performing Windows Live and Facebook accounts creation. A
remote attacker could use this flaw to conduct man-in-the-middle (MiTM)
attacks, possibly leading to their ability to obtain sensitive information
(CVE-2013-0240).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html

https://bugs.mageia.org/show_bug.cgi?id=9082

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0059

Status: NEW => RESOLVED
Resolution: (none) => FIXED