Lector de Feeds

Some Additional and Useful Information / Some change in formating

← Older revision Revision as of 02:41, 7 April 2025 Line 32: Line 32:  === Steps === === Steps ===    −'''User'''+==== '''User''' ====  * Open a bug report in bugzilla asking for a backport * Open a bug report in bugzilla asking for a backport    −'''Triage'''+==== '''Triage''' ====  * identify backport requests * identify backport requests  * add "Backport Request: " in the bug report summary * add "Backport Request: " in the bug report summary Line 45: Line 45:  * has a good reason for not providing this backport (policy, possible breakage...) => close as wontfix * has a good reason for not providing this backport (policy, possible breakage...) => close as wontfix    −'''Packager'''+==== '''Packager''' ====  * first of all check that your backport is not against the policy * first of all check that your backport is not against the policy  +  +===== Import a new backoport =====  * copy package from cauldron branch to backports branch * copy package from cauldron branch to backports branch    svn cp svn+ssh://svn.mageia.org/svn/packages/cauldron/hplip  svn+ssh://svn.mageia.org/svn/packages/backports/5/ -m "SILENT: copy for backport"   svn cp svn+ssh://svn.mageia.org/svn/packages/cauldron/hplip  svn+ssh://svn.mageia.org/svn/packages/backports/5/ -m "SILENT: copy for backport"  +  +===== Update existing backport =====  +* get the current sources mgarepo co package_name -k mgaversion by example  + mgarepo co foo -k 5  +  +===== Send the backport to BS =====  * submit to {core,nonfree,tainted}/backports_testing from the backports branch * submit to {core,nonfree,tainted}/backports_testing from the backports branch    mgarepo submit  --define section=core/backports_testing -t 5   mgarepo submit  --define section=core/backports_testing -t 5 −   * find a tester: original bug reporter when there is one, yourself if there's none, or ask in forums/irc/MLs... * find a tester: original bug reporter when there is one, yourself if there's none, or ask in forums/irc/MLs...  * once tested by at least one person (it must be said explicitly in the bug report, with testing procedure given so that QA can know how it was tested and how to test it), hand it to QA: * once tested by at least one person (it must be said explicitly in the bug report, with testing procedure given so that QA can know how it was tested and how to test it), hand it to QA: Line 62: Line 69:  * be ready to fix bugs and answer QA team questions * be ready to fix bugs and answer QA team questions    −'''QA'''+==== '''QA''' ====  * QA team will test backports, but with lower priority than that of bugfix and security updates * QA team will test backports, but with lower priority than that of bugfix and security updates  * test backports in a similar way that we test updates.   * test backports in a similar way that we test updates.   Line 68: Line 75:  * move the packages from backports_testing to backports * move the packages from backports_testing to backports    −'''Packager again'''+==== '''Packager again''' ====  * be ready to fix bugs: once you pushed a backport, you have to maintain it until the distribution's end of life :) * be ready to fix bugs: once you pushed a backport, you have to maintain it until the distribution's end of life :)    Katnatek

Publication date: 05 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-2588 Description Hercules Augeas fa.c re_case_expand null pointer dereference. (CVE-2025-2588) References

• https://bugs.mageia.org/show_bug.cgi?id=34141
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JLS6PXWXBARZ5FZS4C2ASIP6X56BMH24/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2588

SRPMS 9/core

• augeas-1.12.0-4.1.mga9

Publication date: 05 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-30472 Description Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. (CVE-2025-30472) References

• https://bugs.mageia.org/show_bug.cgi?id=34146
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/L63W4FOTC7DCCZ5Z6IDGHNMPP3LXH2YY/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30472

SRPMS 9/core

• corosync-3.1.7-1.1.mga9

Publication date: 05 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3028 , CVE-2025-3029 , CVE-2025-3030 Description Use-after-free triggered by XSLTProcessor. (CVE-2025-3028) URL Bar Spoofing via non-BMP Unicode characters. (CVE-2025-3029) Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. (CVE-2025-3030) References

• https://bugs.mageia.org/show_bug.cgi?id=34155
• https://www.thunderbird.net/en-US/thunderbird/128.9.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-24/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3028
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3029
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3030

SRPMS 9/core

• thunderbird-128.9.0-1.mga9
• thunderbird-l10n-128.9.0-1.mga9

Publication date: 05 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3028 , CVE-2025-3029 , CVE-2025-3030 Description Use-after-free triggered by XSLTProcessor. (CVE-2025-3028) URL Bar Spoofing via non-BMP Unicode characters. (CVE-2025-3029) Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. (CVE-2025-3030) References

• https://bugs.mageia.org/show_bug.cgi?id=34153
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html
• https://www.mozilla.org/en-US/firefox/128.9.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-22/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3028
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3029
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3030

SRPMS 9/core

• firefox-128.9.0-1.mga9
• firefox-l10n-128.9.0-1.mga9
• nss-3.110.0-1.mga9

Publication date: 05 Apr 2025
Type: bugfix
Affected Mageia releases : 9
Description The current version of wapiti is not compatible with our version of python3-httpx and python3-browser-cookie3 lacks some runtime requirements. We update the necessary packages to fix this issue, and to be able to build wapiti version 3.1.4 it was necessary to import some new packages as part of its build and runtime requirements. References

• https://bugs.mageia.org/show_bug.cgi?id=34144
• https://bugs.mageia.org/show_bug.cgi?id=34021

SRPMS 9/core

• python-browser-cookie3-0.20.1-1.mga9
• python-socksio-1.0.0-1.1.mga9
• python-httpx-0.23.0-1.1.mga9
• python-aiomcache-0.8.2-1.mga9
• python-aiosqlite-0.20.0-1.mga9
• python-aiocache-0.12.3-1.mga9
• python-arsenic-21.8-1.mga9
• python-maturin-1.2.3-1.mga9
• python-mitmproxy-wireguard-0.1.23-1.mga9
• python3-loguru-0.5.3-1.mga9
• wapiti-3.1.4-1.mga9

Publication date: 03 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-56161 Description Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. (CVE-2024-56161) References

• https://bugs.mageia.org/show_bug.cgi?id=34149
• https://lists.debian.org/debian-lts-announce/2025/03/msg00024.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56161

SRPMS 9/nonfree

• microcode-0.20250211-2.mga9.nonfree

Add more Rust info

← Older revision Revision as of 20:09, 3 April 2025 (One intermediate revision by the same user not shown)Line 83: Line 83:  Security updates are assumed to consist of upgrading to a new upstream release. Those that require patching a dependency complicates this flow, since the same patch must then be applied to each vendored instance of that dependency. If an unpackaged dependency needs a local patch instead of an upgrade, then we could implement a policy that the dependency must be first be packaged before rebuilds are performed, with that new package added as a dependency to any application that needs it before rebuilding. That avoids carrying the identical patch around in many packages. Security updates are assumed to consist of upgrading to a new upstream release. Those that require patching a dependency complicates this flow, since the same patch must then be applied to each vendored instance of that dependency. If an unpackaged dependency needs a local patch instead of an upgrade, then we could implement a policy that the dependency must be first be packaged before rebuilds are performed, with that new package added as a dependency to any application that needs it before rebuilding. That avoids carrying the identical patch around in many packages.    −A script will be created to take care of the bulk of step 1 for the developer. It would scan the application source code to find out what dependencies are needed, then exclude any dependencies already supplied by packages in ''BuildRequires:'' leaving a list of outstanding ones. These would be downloaded using the language's normal package download mechanism and installed into a private temporary location. All these would then be archived into a compressed tarball along with an SBOM containing all the packaged dependency names and versions and stored in the ''SOURCES/'' directory under a standard name (maybe ''dependencies.tar.xz'').  This file would then be added to ''sha1.lst'' and uploaded to ''binrepo''. This could all be integrated into a ''mgarepo'' subcommand. ''TODO: who is responsible for ensuring that the licenses of all the dependencies are allowed, compatible and that the License: line in the .spec file matches?''+A script will be created to take care of the bulk of step 1 for the developer. It would scan the application source code to find out what dependencies are needed, then exclude any dependencies already supplied by packages in ''BuildRequires:'' leaving a list of outstanding ones. These would be downloaded using the language's normal package download mechanism and installed into a private temporary location. All these would then be archived into a compressed tarball along with an SBOM containing all the packaged dependency names and versions and stored in the ''SOURCES/'' directory under a standard name (maybe ''dependencies.tar.xz'', but see other historic precedence below).  This file would then be added to ''sha1.lst'' and uploaded to ''binrepo''. This could all be integrated into a ''mgarepo'' subcommand. ''TODO: who is responsible for ensuring that the licenses of all the dependencies are allowed, compatible and that the License: line in the .spec file matches?''     For step 2., the various RPM build macros would be updated to handle any dependencies stored in ''dependencies.tar.xz''. They would be extracted into a temporary location in ''BUILDROOT/'' and the compile command extended to look for missing dependencies in this location. For step 2., the various RPM build macros would be updated to handle any dependencies stored in ''dependencies.tar.xz''. They would be extracted into a temporary location in ''BUILDROOT/'' and the compile command extended to look for missing dependencies in this location. Line 109: Line 109:  #: <pre>grype --output json sbom:"%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}.spdx"</pre> #: <pre>grype --output json sbom:"%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}.spdx"</pre>  # If any new vulnerabilities are found, open a bug so the package can be rebuilt. # If any new vulnerabilities are found, open a bug so the package can be rebuilt.  +  +=== Rust ===  +  +Some Rust packages in Mageia already include vendored dependencies. These are stored in the tree in a binrepo file called SOURCES/''<packagename>''-vendor.tar.xz. The macro ''%cargo_prep -v vendor'' in the ''%prep'' section takes care of extracting them into the right place before a build. This archive is created with the ''cargo vendor'' command. Some means of extracting a list of those vendored packages into a SPDX file needs to be determined.     == See Also == == See Also == Line 115: Line 119:  * [[Security Updates]] * [[Security Updates]]  * [https://lwn.net/Articles/1005655/ Fedora proposing allowing vendored Go packages] * [https://lwn.net/Articles/1005655/ Fedora proposing allowing vendored Go packages]  +* [https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_vendored_dependencies Fedora policy on vendored Rust dependencies]  * [https://fosdem.org/2025/schedule/event/fosdem-2025-5570-rust-rpms-and-the-fine-art-of-dependency-bundling/ Rust, RPMs, and the Fine Art of Dependency Bundling] * [https://fosdem.org/2025/schedule/event/fosdem-2025-5570-rust-rpms-and-the-fine-art-of-dependency-bundling/ Rust, RPMs, and the Fine Art of Dependency Bundling]  * [https://ml.mageia.org/l/arc/dev/2023-04/msg00579.html Thread on packages with many components/modules/subpackages] * [https://ml.mageia.org/l/arc/dev/2023-04/msg00579.html Thread on packages with many components/modules/subpackages] Danf