Lector de Feeds

Connecting examples web browser link and hexchat usage.

← Older revision Revision as of 17:08, 25 January 2025 Line 9: Line 9:     On 15 June 2021, we were forced to move [[Mageia IRC Channels|our IRC channels on Freenode]] to [https://libera.chat/ Liberachat]. You can visit them on the Libera Chat Network (ircs://irc.libera.chat:6697) On 15 June 2021, we were forced to move [[Mageia IRC Channels|our IRC channels on Freenode]] to [https://libera.chat/ Liberachat]. You can visit them on the Libera Chat Network (ircs://irc.libera.chat:6697) −  −Connect to server ircs://irc.libera.chat:6697 and type /join channelname, replacing channelname with the name of the channel (including the leading "#"). All channels use English unless otherwise specified. Using a secure connection with SSL by connecting to port 6697 is obligatory.      The intention was to have a backup on Liberachat for each of our channels on Freenode. You can find them below, but some might not yet be populated or registered. If you have a question about an empty channel, then please ask in [ircs://irc.libera.chat:6697/#mageia #mageia] The intention was to have a backup on Liberachat for each of our channels on Freenode. You can find them below, but some might not yet be populated or registered. If you have a question about an empty channel, then please ask in [ircs://irc.libera.chat:6697/#mageia #mageia]     The channels will host regular meetings (see [[meetings|summaries and logs]]). The channels will host regular meetings (see [[meetings|summaries and logs]]).  +  +All channels use English unless otherwise specified.     Some channels (will) have useful bots; [[IRC bots|learn about them]]. Some channels (will) have useful bots; [[IRC bots|learn about them]].  +  +Connect to server ircs://irc.libera.chat:6697 and type /join channelname, replacing channelname with the name of the channel (including the leading "#"). Using a secure connection with SSL by connecting to port 6697 is obligatory.  +  +Using a browser: https://web.libera.chat/  +  +Using an IRC client such as for example {{prog|hexchat}} : choose network Libera.Chat, and menu Server > Join a channel > #mageia-something from list below.     == Project-wide channels: == == Project-wide channels: == Morgano

‎Contact the team: link to other channels

← Older revision Revision as of 16:59, 25 January 2025 Line 16: Line 16:     * Subscribing to the [https://ml.mageia.org/l/info/qa-discuss QA-Discuss] mailing list and then send a mail message to it, to introduce yourself * Subscribing to the [https://ml.mageia.org/l/info/qa-discuss QA-Discuss] mailing list and then send a mail message to it, to introduce yourself −* By joining the [irc://irc.libera.chat/#mageia-qa #mageia-qa] IRC channel on libera.chat. How: web browser using https://web.libera.chat/, or an IRC client such as for example {{prog|hexchat}} : choose network Libera.Chat, and menu Server > Join a channel > #mageia-qa+* By joining the [irc://irc.libera.chat/#mageia-qa #mageia-qa] IRC channel on libera.chat. How: web browser using https://web.libera.chat/, or an IRC client such as for example {{prog|hexchat}} : choose network Libera.Chat, and menu Server > Join a channel > #mageia-qa. Other channels see: [[Mageia_IRC_Channels_Liberachat|Mageia IRC Channels Liberachat]].     * Team  leader : Thomas J Andrews (MageiaTJ) - andrewsfarm AT gmail dot com * Team  leader : Thomas J Andrews (MageiaTJ) - andrewsfarm AT gmail dot com Morgano

Publication date: 24 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-30536 , CVE-2024-2961 Description fix possible security issue with library code slim/psr7 (CVE-2023-30536) fix possible security issue relating to iconv (CVE-2024-2961, PMASA-2025-3) fix an XSS vulnerability in the check tables feature (PMASA-2025-1) fix an XSS vulnerability in the Insert tab (PMASA-2025-2) References

• https://bugs.mageia.org/show_bug.cgi?id=33948
• https://www.phpmyadmin.net/news/2025/1/21/phpMyAdmin-522-is-released/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30536
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961

SRPMS 9/core

• phpmyadmin-5.2.2-1.mga9

Publication date: 24 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56378 Description libpoppler.so has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. (CVE-2024-56378) References

• https://bugs.mageia.org/show_bug.cgi?id=33932
• https://ubuntu.com/security/notices/USN-7213-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56378

SRPMS 9/core

• poppler-23.02.0-1.4.mga9

Initial notes on supporting vendored dependencies

New page

A '''vendored dependency''' is an aggregation of code (such as a package, module or library) that is included as part a larger aggregation (usually an application) but which is also available separately standalone (such as a dynamic library). A typical example is an application (e.g. Mariadb) that distributes the source for a separate library within its source tree (e.g. readline). This can be done for a number of reasons, such as licensing issues that prevent using of the module separately, custom code changes made for the application's use that are not/can not be upstreamed, and ease of compilation for the developer.

There are many downsides to this approach. Probably the biggest one is that when a standalone dynamic library is updated to fix a security bug, the vendored versions included in other applications are not automatically updated. These applications must be updated separately, and the upstream developer may not immediately (or even ever) include the security fixes in the vendored copy, leaving the application vulnerable to security issues.

For these reasons, vendored libraries are discouraged in Mageia ''(TBD: point to the policy)''

A closely related issue is using '''dependencies that are downloaded''' at compile time. This are common in languages such as Go, Rust and Javascript (npm) and it ends up with similar problems to vendoring. The result is even worse problems because it can not only be difficult to determine which dependencies have been used, but downright impossible to determine the version numbers actually used at compile time. Without dependency names and version numbers, it becomes impossible to tell when a package is affected by a security issue in a dependency. When a security issue is reported, it can result in the need to recompile many application packages instead of a single one. It is also difficult to ensure that the licenses of all downloaded packages match those allowed by the distribution. And when packages have licenses like the GPL that require source code be supplied with the binary, it becomes mandatory to make a copy of the downloaded source available to users.

For these reasons, files downloaded at compile time are disallowed in Mageia ''(TBD: point to the policy)''

'''Static linking''' is another practice that effectively results in the same problems as the above. Some languages (e.g. Go, Rust) statically link their dependencies so security issues in those dependencies means rebuilding them all against the fixed packages.

For these reasons, static linking is discouraged in Mageia ''(TBD: point to the policy)''

These are really three separate topics but since the effects of all three are very similar, they are discussed here as a block.

== Problems with disallowing vendoring ==

When vendored (bundled) and downloaded packages are disallowed, they must instead be packaged separately. This means extra work for packagers since adding a single new complicated application can require individually packaging dozens or even hundreds of new separate dependency packages. This takes extra time, disk space and the especially rare commodity, packager time. It is simply not scalable and effectively means that new applications written in some of the languages particularly prone to this way of working just aren't available to Mageia users.

== The landscape ==

Two languages becoming more popular these days, Go and Rust, particularly suffer from the issues described and supporting applications using them in Mageia is difficult due to policies designed for the C and C++ applications that were the most popular ones in the past. If we want to support programs in these languages, we need to ease the burden on packagers.

The main reasons for anti-vendoring (and related) policies are:

# to easily identify which packages need to be updated to fix security issues
# to ensure that a known security issue does not unknowingly go unfixed in the distribution
# to reduce the work in updating those packages when necessary
# to reduce time, bandwidth and disk space for users
# to ensure source code is always available to users to fulfill licensing obligations

If we can find a way to satisfy those requirements to a reasonable degree while still allowing vendoring and downloading of modules at compile time, we can ease the burden on our packagers and infrastructure.

== A way forward ==

=== Go ===

The following proposal satisfies the reasons for the anti-vendoring policies above, while allowing applications to be packaged without individually packaging each dependency. The specifics listed in this section are for handling Go applications, but it can be generalized for other languages in the future.

TBD

=== C/C++ ===

Since these languages support dynamic linking and the developer culture does not generally encourage a huge number of small dependencies, no proposal is currently being made to ease the vendoring restrictions in C or C++ applications.

=== Others ===

The proposals for Go should be able to be generalized to work for applications in other compiled languages as well. It is possible to develop infrastructure to support interpreted languages as well, but the benefits may not be as clear.

The languages with the most number of modules in Mageia as of this writing (in approximate decreasing order) are:

# Rust
# Perl
# Python
# Java
# Go
# Ruby
# OCaml
# Nodejs (Javascript)
# PHP
# Erlang

== See Also ==

* [[Packages carrying bundled copies of system libraries]]
* [[Security Updates]]

[[Category:Packaging]] Danf

‎Cancel the build: Run as schedbot

← Older revision Revision as of 06:58, 24 January 2025 Line 11: Line 11:  Find the build at https://pkgsubmit.mageia.org/ and look under ''Status'' for the build's ID (it will look like YYYYMMDDHHMMSS.USER.HOST.ID). Log in to duvel and run: Find the build at https://pkgsubmit.mageia.org/ and look under ''Status'' for the build's ID (it will look like YYYYMMDDHHMMSS.USER.HOST.ID). Log in to duvel and run:    −   cancel_build 20231231211004.pterjan.duvel.1487312+   sudo -u schedbot cancel_build 20231231211004.pterjan.duvel.1487312     providing the build ID you just found. providing the build ID you just found. Danf

Publication date: 23 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45336 , CVE-2024-45341 Description net/http: sensitive headers incorrectly sent after cross-domain redirect, (CVE-2024-45336). crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints, (CVE-2024-45341). References

• https://bugs.mageia.org/show_bug.cgi?id=33940
• https://www.openwall.com/lists/oss-security/2025/01/17/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45336
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45341

SRPMS 9/core

• golang-1.22.11-1.mga9

‎Chromium browser: Update

← Older revision Revision as of 20:53, 22 January 2025 Line 271: Line 271:  === Chromium browser === === Chromium browser ===    −We seem not to have packagers for keeping Chromium browser updated, {{Bug|33609}}. Workarounds: As [[Flatpak|Flatpak]] install app/org.chromium.Chromium/x86_64/stable, or Chrome. Or Chrome rpm from Google.+We seem not to have packagers for keeping Chromium browser updated, {{Bug|33609}}. Workarounds: As [[Flatpak|Flatpak]] install app/org.chromium.Chromium/x86_64/stable, or Chrome. Or Chrome rpm from Google. Update January 2025: currently it is updated. −       === Firefox ESR === === Firefox ESR === Morgano

Publication date: 22 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7025 , CVE-2024-9369 , CVE-2024-9370 , CVE-2024-9602 , CVE-2024-9603 , CVE-2024-9954 , CVE-2024-9955 , CVE-2024-9956 , CVE-2024-9957 , CVE-2024-9958 , CVE-2024-9959 , CVE-2024-9960 , CVE-2024-9961 , CVE-2024-9962 , CVE-2024-9963 , CVE-2024-9964 , CVE-2024-9965 , CVE-2024-9966 Description Lot of CVEs were fixed by upstream since our current version; please see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=33609
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7025
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9369
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9370
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9602
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9603
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9954
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9955
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9956
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9957
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9958
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9959
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9960
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9961
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9962
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9963
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9964
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9965
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9966

SRPMS 9/tainted

• chromium-browser-stable-132.0.6834.84-1.mga9.tainted