OpenSuSE has issued an advisory today (February 15): http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated gnome-online-accounts packages fix security vulnerability: It was found that Gnome Online Accounts (GOA) did not perform SSL certificate validation, when performing Windows Live and Facebook accounts creation. A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to their ability to obtain sensitive information (CVE-2013-0240). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240 http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html ======================== Updated packages in core/updates_testing: ======================== gnome-online-accounts-3.4.2-1.1.mga2 libgoa1.0_0-3.4.2-1.1.mga2 libgoa-gir1.0-3.4.2-1.1.mga2 libgoa1.0-devel-3.4.2-1.1.mga2 from gnome-online-accounts-3.4.2-1.1.mga2.src.rpm
Um, this is more than a CVE fix... it's also a version bump from 3.4.1 to 3.4.2
CC: (none) => tmb
That's what was in SVN. You know why.
Yes, I know... but svn Changes can Always be reverted in order to provide safe updates, so we need to be careful with all gtk and gnome stuff in mga2 updates... anyway we can see how it goes, but QA need to be extra careful with this mess...
Yes, thanks for pointing it out. It really *shouldn't* cause issues with this or any other package that might need to be updated, but as any changes will be more than just our security or bugfixes, but also the upstream ones from the updated version, more careful testing would be required.
$ urpmq --whatrequires gnome-online-accounts gnome-online-accounts Is it actually used? Any suggestions for testing?
CC: (none) => davidwhodgins
CC: (none) => olav
There is some info here but I haven't looked at it yet to see how to test this http://developer.gnome.org/goa/stable/
Reading here: https://live.gnome.org/GnomeOnlineAccounts "GOA provides a centralized service that allows a set of online accounts to be configured for use with core GNOME applications. In UX terms, GOA provides a static list of online accounts that can be setup by users (through the Online Accounts panel in System Settings). These accounts can then be used by core GNOME applications. " So configuring/connecting to accounts in gnome settings should be enough to test
Whiteboard: (none) => has_procedure
Testing complete mga2 64 Confirmed I can configure windows live and google accounts in Gnome. Empathy can also use that account information. They fail to connect as it thinks there is no network connection, which I think is probably something to do with networkmanager not managing the network connection. Unrelated to GOA though.
Whiteboard: has_procedure => has_procedure mga2-64-ok
Checking GOA on mga2 32. One thing I've noted, there are icons for multiple other account options (yahoo, twitter, facebook, etc.) but when attempting to configure, the only options available are google and windows live. Should we be able to configure the others some way?
CC: (none) => wrw105
(In reply to Bill Wilkinson from comment #9) > Checking GOA on mga2 32. One thing I've noted, there are icons for multiple > other account options (yahoo, twitter, facebook, etc.) but when attempting > to configure, the only options available are google and windows live. Should > we be able to configure the others some way? I don't know if they should be available or not, but I've checked that the prior version has the same behavior, so if it is a bug, it's not a regression. Please open a new bug report if you think the other services should be available as options.
Validating the update. Could someone from the sysadmin team push the srpm gnome-online-accounts-3.4.2-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated gnome-online-accounts packages fix security vulnerability: It was found that Gnome Online Accounts (GOA) did not perform SSL certificate validation, when performing Windows Live and Facebook accounts creation. A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to their ability to obtain sensitive information (CVE-2013-0240). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240 http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html https://bugs.mageia.org/show_bug.cgi?id=9082
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0059
Status: NEW => RESOLVEDResolution: (none) => FIXED