Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582740 (CVE-2015-7542) - <sys-libs/gwenhywfar-4.19.0: bundling of outdated and potentially insecure root certificates
Summary: <sys-libs/gwenhywfar-4.19.0: bundling of outdated and potentially insecure ro...
Status: RESOLVED FIXED
Alias: CVE-2015-7542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks: 640900 644782
  Show dependency tree
 
Reported: 2016-05-11 09:14 UTC by Hanno Böck
Modified: 2018-05-13 22:52 UTC (History)
2 users (show)

See Also:
Package list:
sys-libs/gwenhywfar-4.19.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-05-11 09:14:59 UTC
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7542

It's about bundled deprecated certificates. Ideally the package should use the system-wide certificate store, but even the latest version doesn't do that.

There's a new version 4.15.3 that I'll commit today. I'm currently trying to find out via the upstream mailing list if they intend to switch to the system wide store or keep their own store up to date.
Comment 1 Hanno Böck gentoo-dev 2016-10-31 10:31:38 UTC
Update: upstream has fixed this in the latest beta versions. I'll wait till they become non-beta and will then update.
Comment 2 Fabian Köster 2017-08-31 08:50:51 UTC
Gwenhywfar 4.18.0 has been released (non-beta) including the fix.
Comment 3 Larry the Git Cow gentoo-dev 2018-02-12 23:50:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82eb14efdb7e64341d631a7b9a7dfa6782a6305f

commit 82eb14efdb7e64341d631a7b9a7dfa6782a6305f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-02-12 22:44:14 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-02-12 23:50:09 +0000

    sys-libs/gwenhywfar: 4.19.0 version bump
    
    Thanks-to: Thomas Bettler <thomas.bettler@gmail.com>
    Bug: https://bugs.gentoo.org/582740
    Bug: https://bugs.gentoo.org/640900
    Closes: https://bugs.gentoo.org/644782
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 sys-libs/gwenhywfar/Manifest                 |   1 +
 sys-libs/gwenhywfar/gwenhywfar-4.19.0.ebuild | 116 +++++++++++++++++++++++++++
 sys-libs/gwenhywfar/metadata.xml             |  17 ++--
 3 files changed, 128 insertions(+), 6 deletions(-)}
Comment 4 Andreas Sturmlechner gentoo-dev 2018-02-13 00:01:03 UTC
Let's use this bug for stabilisation after the usual testing period.
Comment 5 Andreas Sturmlechner gentoo-dev 2018-02-19 23:52:31 UTC
In fact I would like to schedule this with kmymoney-5.0.0 for 2018-03-12 if possible.
Comment 6 Larry the Git Cow gentoo-dev 2018-04-06 00:42:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b5e6901708132469ce69fa967a6e1d2882c484

commit 26b5e6901708132469ce69fa967a6e1d2882c484
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-04-06 00:38:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-04-06 00:42:00 +0000

    sys-libs/gwenhywfar: Drop vulnerable and Qt4-based
    
    Bug: https://bugs.gentoo.org/582740
    Closes: https://bugs.gentoo.org/644782
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 sys-libs/gwenhywfar/Manifest                    |  1 -
 sys-libs/gwenhywfar/gwenhywfar-4.15.3-r1.ebuild | 62 -------------------------
 sys-libs/gwenhywfar/gwenhywfar-4.15.3.ebuild    | 59 -----------------------
 3 files changed, 122 deletions(-)}
Comment 7 Andreas Sturmlechner gentoo-dev 2018-05-13 20:47:06 UTC
ping sec
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-13 22:52:14 UTC
GLSA Vote: No

Thanks, Andreas!