Summary: | kde-base/{kdenetwork|kopete} libgadu vulnerabilities (CAN-2005-1852) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | major | CC: | kde, wolf31o2 | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.kde.org/info/security/advisory-20050721-1.txt | ||||||||||
Whiteboard: | B1 [glsa] jaervosz | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-07-20 22:33:13 UTC
KDE please provide an updated ebuild. Created attachment 63954 [details]
kdenetwork-3.3.2-r2.ebuild
I don't have time. If someone would test the ebuilds, please?! What bothers me
is that the dependency is not listed as an optional one, since the shared
libgadu can be used, too. Also Portage doesn't seem to treat SRC_URI
culmulative as it seems.
Created attachment 63955 [details]
kdenetwork-3.4.1-r1.ebuild
Created attachment 63956 [details]
kopete-3.4.1-r1.ebuild
arch herds: The patches apply and I don't see why there should be a problem, testers are welcome. Thx Carlo. So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no longer supported? Afair GLSA 200412-17 was the first one to not include a fix for 3.2.x. I'm sure there are several others after that. I tested the ebuilds and committed: kdenetwork-3.4.1-r1.ebuild kdenetwork-3.3.2-r2.ebuild kopete-3.4.1-r1.ebuild Stable on hppa stable on ppc64 Is it OK to mark these bad boys as blocker during release time when we're under crunch time if it is holding us up? Heh... Well... this is blocking the release at the moment... thanks all Upgrading severity to blocker as requested by wolf31o2. (In reply to comment #7) > So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and > 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no > longer supported? Supporting two stable releases should suffice. While adding the fixes for KDE 3.2 as well, wouldn't be a big issue in this case, but the KDE team is small, some arch teams are, too and not everyone is as sparctastic fast & resposive as you. ;) (In reply to comment #8) > Afair GLSA 200412-17 > was the first one to not include a fix for 3.2.x. I'm sure > there are several others after that. No. KDE 3.2 wasn't affected in this case. Bug 98735 and this one are the first two. In case anyone raised an eyebrowe: No portage bug, a kde eclass speciality as I found out. Marked ppc stable. kdenetwork-3.3.2-r2 stable on mips, 3.4 hasn't gone stable on mips yet. stable on amd64. Stable on alpha. Stable on ia64. sparc stable. x86 already stable. This one is ready for GLSA. Still needing alpha keyword, back to stable. Alpha doesn't have any stable 3.4.x version and I already stabled kdenetwork-3.3.2-r2. I don't think we're missing any keywords but feel free to correct me if I'm wrong :) Kloeri sorry for the noise. This one is ready for GLSA. Rerating as B (Gadu-gadu is hardly default configuration). GLSA 200507-23 |