MGASA-2021-0146

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0146.html

Import Source

https://advisories.mageia.org/MGASA-2021-0146.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0146

Related

CVE-2021-28117

Published

2021-03-18T10:52:54Z

Modified

2021-03-18T10:01:49Z

Summary

Updated discover package fixes a security vulnerability

Details

Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only makes sense for http/https links. Opening links that the user has clicked on is not very problematic but can be used to chain to other attack vectors. Given the intended functionality of the feature is just for http/https links it makes sense to do that verification (CVE-2021-28117).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / discover

Package

Name: discover
Purl: pkg:rpm/mageia/discover?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.4-2.2.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / discover

Package

Name: discover
Purl: pkg:rpm/mageia/discover?arch=source&distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.20.4-3.1.mga8

Ecosystem specific

{
    "section": "core"
}