private file disclosure issue (CVE-2015-0844)

Thanks; I reformatted the changelogs slightly for consistency with our other security updates and so that this bug will be automatically closed when the packages are released; the packages are building now, and I should release them tomorrow if the builds succeed on the build servers.

Thanks!

This bug was fixed in the package wesnoth-1.10 - 1:1.10.2-1ubuntu1

---------------
wesnoth-1.10 (1:1.10.2-1ubuntu1) precise-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

This bug was fixed in the package wesnoth-1.10 - 1:1.10.7-1ubuntu0.14.10.1

---------------
wesnoth-1.10 (1:1.10.7-1ubuntu0.14.10.1) utopic-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

This bug was fixed in the package wesnoth-1.10 - 1:1.10.7-1ubuntu0.14.04.1

---------------
wesnoth-1.10 (1:1.10.7-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

Thanks Rhonda, the fixes are released.

This is fixed already in vivid, closing bug.

Status changed to 'Confirmed' because the bug affects multiple users.

For wesnoth-1.12, this was fixed with the 1:1.12.2-1 upload, which is both in vivid and wily, closing the tasks there. Precise does not have the package at all. For trusty and utopic, these packages were provided by the ubuntu-backports project https://launchpad.net/ubp ; you'll need to file a request with them to update wesnoth-1.12 (see https://wiki.ubuntu.com/UbuntuBackports for more details on the backports update process).

Sorry, this security issue is not fixed for trusty yet.

I don't understand what I need to do on this page https://wiki.ubuntu.com/UbuntuBackports

You might have to file a bug on https://launchpad.net/trusty-backports

@dholbach, but this a lie - https://launchpad.net/ubuntu/+source/wesnoth-1.12 - fix for this package is not released for Trusty. Users are still affected by CVE. You don't care, right? Maybe there should be change in Ubuntu process regarding communication with backports.

I didn't find a way to add trusty-backports as affected by this bug. It is either because you changed permissions, or because there is no such feature in LaunchPad?

No. It's not a lie. Trusty backports bugs are not handled within the Ubuntu project tasks, but under a separate project that I've added now. What it is, is someone rushing to make an accusation because they don't understand how the project is managed.

As described in https://help.ubuntu.com/community/UbuntuBackports someone needs to verify that the newer backport builds, installs, and runs on trusty. Once that's done, I'll be glad to upload it.

On Fri, May 15, 2015 at 9:23 AM, Scott Kitterman <email address hidden> wrote:
> No. It's not a lie. Trusty backports bugs are not handled within the
> Ubuntu project tasks, but under a separate project that I've added now.
> What it is, is someone rushing to make an accusation because they don't
> understand how the project is managed.

The lie is to say that fix for Wesnoth 1.12 Trusty is released.
Because it is not.

> As described in https://help.ubuntu.com/community/UbuntuBackports
> someone needs to verify that the newer backport builds, installs, and
> runs on trusty. Once that's done, I'll be glad to upload it.

This is also not true. This page doesn't describe how to verify that.

I filed Bug #1456775 which has all the information for testing and a link to my PPA where packages are building to test.

Sorry, this is for trusty and utopic backports