FEDORA-EPEL-2018-f9d6ff695a

security update in Fedora EPEL 7 for bibutils, ghc-hs-bibutils, & 1 more

Status: stable 7 months ago

Update to bibutils-6.6

  • Security fix for CVE-2018-10773 CVE-2018-10774 CVE-2018-10775

Comments 30

This update has been submitted for testing by vascom.

This update has been pushed to testing.

petersen edited this update.

petersen edited this update.

This update includes so version bump and all packages depending on libbibutils needs update.

Update needed for:

ghc-hs-bibutils-5.0-2.el7.x86_64
ghc-pandoc-citeproc-0.3.0.1-3.el7.x86_64
pandoc-citeproc-0.3.0.1-3.el7.x86_64
karma: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

OK. Also ghc-hakyll.

I'll write about it to mailing list and maintainers.

And quick test looks like rebuild is not enough, those packages need update.

Right, I will take care of it and add the packages here

ghc-hakyll is not actually built for epel7 - so we don't need to worry about that.

petersen edited this update.

New build(s):

  • pandoc-citeproc-0.3.0.1-4.el7
  • ghc-hs-bibutils-6.6.0.0-1.el7

Karma has been reset.

This update has been submitted for testing by petersen.

This update has been pushed to testing.

@petersen I think you forgot ghc-rpm-macros from update, ghc-hs-bibutils won't even build with current epel version.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

works

karma: +1

This update it 7 months old now... Is it safe to push or not?

Not safe to push because ghc-rpm-macros update needed is not included in this update.

Am I missing something? I don't see the ghc-rpm-macros dependency...

# repoquery --whatrequires "bibutils*"
bibutils-0:5.0-1.el7.x86_64
bibutils-devel-0:5.0-1.el7.x86_64
ghc-hs-bibutils-0:5.0-2.el7.x86_64
ghc-hs-bibutils-devel-0:5.0-2.el7.x86_64
ghc-pandoc-citeproc-0:0.3.0.1-3.el7.x86_64
pandoc-citeproc-0:0.3.0.1-3.el7.x86_64

I also looked through the spec file for ghc-rpm-macros and I don't see where it does anything during install that would depend on a package. It just copied a bunch of macro related files into the correct location.

Packages can't be build with published ghc-rpm-macros - updated macros which is in koji is required in build root.

Correction - ghc-rpm-macros which are required have already been published as a separate update four months ago. So it is ok to publish this

karma: +1

So I can push it?

Yes, just do that. Only issue there has been resolved on separate update.

Afaik only problem which was a build dep missing has been fixed as a separate update https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-22bb904daa

Hm, I am not see push button.

This update has been submitted for batched by hobbes1069.

This update has been submitted for stable by hobbes1069.

Not logged in? Anyway, I got it :)

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
low
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted a year ago
in testing a year ago
in stable 7 months ago
modified a year ago

Related Bugs 8

00 #1541039 bibutils: Does not use Fedora build flags
00 #1577258 CVE-2018-10773 bibutils: NULL pointer deference in addsn function in serialno.c in libbibcore.a
00 #1577261 CVE-2018-10773 CVE-2018-10774 CVE-2018-10775 bibutils: various flaws [epel-all]
00 #1577262 CVE-2018-10773 CVE-2018-10774 CVE-2018-10775 ghc-hs-bibutils: various flaws [epel-all]
00 #1577268 CVE-2018-10774 bibutils: Out-of-bounds Read in isiin_keyword function in isiin.c in libbibutils.a
00 #1577280 CVE-2018-10775 bibutils: NULL pointer dereference in _fields_add function in fields.c in libbibcore.a
00 #1585851 bibutils-6.5 is available
00 #1599484 ghc-hs-bibutils-6.6.0.0 is available

Automated Test Results