915891 – [guru] media-video/owncast: known vulnerabilities

Bug 915891 - [guru] media-video/owncast: known vulnerabilities

Summary: [guru] media-video/owncast: known vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	GURU
Classification:	Unclassified
Component:	Package issues (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	GURU project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-17 12:41 UTC by David Roman
Modified:	2024-04-02 23:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Roman 2023-10-17 12:41:27 UTC

Please update to version 0.1.1. There is known vulnerabilities (e.g: SQL injection) for the version currently on the tree. See https://nvd.nist.gov/vuln/detail/CVE-2022-3751 and https://nvd.nist.gov/vuln/detail/CVE-2023-3188

Reproducible: Always

Comment 1 Viorel Munteanu gentoo-dev

2023-10-19 05:19:39 UTC

@Maintainer: please update your maintainer e-mail in metadata.xml to one recognized by bugzilla.

Comment 2 Karl-Johan Karlsson 2023-10-19 08:57:49 UTC

If I haven't gotten around to bumping the major changes for 0.1.0 yet, it will realistically never happen, especially since I no longer run it myself. I have removed myself as maintainer. If someone else wants to step up, go ahead, otherwise I can remove the package entirely for having open security bugs.

@ceamac: please update https://wiki.gentoo.org/wiki/Project:GURU/Information_for_Contributors to say that the e-mail address used for GURU must be the same as for Bugzilla.

Comment 3 Larry the Git Cow gentoo-dev

2023-10-19 10:39:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=22ea2a0db80811ac992d7c410bf796ab297ac2db

commit 22ea2a0db80811ac992d7c410bf796ab297ac2db
Author:     David Roman <davidroman96@gmail.com>
AuthorDate: 2023-10-19 10:38:01 +0000
Commit:     David Roman <davidroman96@gmail.com>
CommitDate: 2023-10-19 10:38:01 +0000

    profiles: mask media-video/owncast
    
    Bug: https://bugs.gentoo.org/915891
    Signed-off-by: David Roman <davidroman96@gmail.com>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2024-04-02 23:06:52 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=04d0498c76f47ac706ae7d33b85b7b289ad0a1a7

commit 04d0498c76f47ac706ae7d33b85b7b289ad0a1a7
Author:     Julien Roy <julien@jroy.ca>
AuthorDate: 2024-04-02 22:52:59 +0000
Commit:     Julien Roy <julien@jroy.ca>
CommitDate: 2024-04-02 22:52:59 +0000

    media-video/owncast: treeclean
    
    Closes: https://bugs.gentoo.org/915891
    Closes: https://bugs.gentoo.org/860180
    Signed-off-by: Julien Roy <julien@jroy.ca>

 media-video/owncast/Manifest                       |  6 --
 ...0.0.12-1758-remove-websocket-origin-check.patch | 22 -------
 media-video/owncast/files/owncast.initd            | 33 -----------
 media-video/owncast/metadata.xml                   |  8 ---
 media-video/owncast/owncast-0.0.12.ebuild          | 67 ----------------------
 media-video/owncast/owncast-0.0.13.ebuild          | 67 ----------------------
 6 files changed, 203 deletions(-)