Fedora 27: cantata Security Update
Summary
Cantata is a graphical client for the music player daemon (MPD).
Features:
* Multiple MPD collections.
* Highly customisable layout.
* Songs grouped by album in play queue.
* Context view to show artist, album, and song information of current track.
* Simple tag editor.
* File organizer - use tags to organize files and folders.
* Ability to calculate ReplyGain tags.
* Dynamic playlists.
* Online services; Jamendo, Magnatune, SoundCloud, and Podcasts.
* Radio stream support - with the ability to search for streams via TuneIn
and ShoutCast.
* USB-Mass-Storage and MTP device support.
* Audio CD ripping and playback.
* Playback of non-MPD songs, via simple in-built HTTP server.
* MPRISv2 DBUS interface.
* Support for KDE global shortcuts (KDE builds), GNOME media keys, and generic
media keys (via Qxt support)
* Ubuntu/ambiance theme integration.
Latest upstream release, omits some mounting code found to be insecure and not
well tested.
* Wed Jun 27 2018 Rex Dieter
- cantata-2.3.1
- include upstream commit that removes samba share mounting code
* Fri Apr 27 2018 Rex Dieter
- cantata-2.3.0
* Thu Mar 22 2018 Rex Dieter
- cantata-2.2.0
* Wed Feb 7 2018 Fedora Release Engineering
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Jan 7 2018 Igor Gnatenko
- Remove obsolete scriptlets
[ 1 ] Bug #1595570 - CVE-2018-12562 cantata: Insufficient input validation in the 'mount.cifs.wrapper' script
https://bugzilla.redhat.com/show_bug.cgi?id=1595570
[ 2 ] Bug #1595569 - CVE-2018-12561 cantata: Possible injection of additional mount options by manipulating the domain parameters of the samba URL
https://bugzilla.redhat.com/show_bug.cgi?id=1595569
[ 3 ] Bug #1595567 - CVE-2018-12560 cantata: Directory traversal in the D-Bus service of cantata-mounter
https://bugzilla.redhat.com/show_bug.cgi?id=1595567
[ 4 ] Bug #1595566 - CVE-2018-12559 cantata: Directory traversal due to insufficient mount target check in mounter.cpp
https://bugzilla.redhat.com/show_bug.cgi?id=1595566
su -c 'dnf upgrade --advisory FEDORA-2018-9296823b6c' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GKSK32KTXLRRNHWZF5XFWRMJ24A33OSM/
FEDORA-2018-9296823b6c 2018-07-06 15:43:24.292407 Product : Fedora 27 Version : 2.3.1 Release : 1.fc27 URL : https://github.com/cdrummond/cantata Summary : Music Player Daemon (MPD) graphical client Description : Cantata is a graphical client for the music player daemon (MPD). Features: * Multiple MPD collections. * Highly customisable layout. * Songs grouped by album in play queue. * Context view to show artist, album, and song information of current track. * Simple tag editor. * File organizer - use tags to organize files and folders. * Ability to calculate ReplyGain tags. * Dynamic playlists. * Online services; Jamendo, Magnatune, SoundCloud, and Podcasts. * Radio stream support - with the ability to search for streams via TuneIn and ShoutCast. * USB-Mass-Storage and MTP device support. * Audio CD ripping and playback. * Playback of non-MPD songs, via simple in-built HTTP server. * MPRISv2 DBUS interface. * Support for KDE global shortcuts (KDE builds), GNOME media keys, and generic media keys (via Qxt support) * Ubuntu/ambiance theme integration. Latest upstream release, omits some mounting code found to be insecure and not well tested. * Wed Jun 27 2018 Rex Dieter - 2.3.1-1 - cantata-2.3.1 - include upstream commit that removes samba share mounting code * Fri Apr 27 2018 Rex Dieter - 2.3.0-1 - cantata-2.3.0 * Thu Mar 22 2018 Rex Dieter - 2.2.0-1 - cantata-2.2.0 * Wed Feb 7 2018 Fedora Release Engineering - 2.0.1-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Sun Jan 7 2018 Igor Gnatenko - 2.0.1-5 - Remove obsolete scriptlets [ 1 ] Bug #1595570 - CVE-2018-12562 cantata: Insufficient input validation in the 'mount.cifs.wrapper' script https://bugzilla.redhat.com/show_bug.cgi?id=1595570 [ 2 ] Bug #1595569 - CVE-2018-12561 cantata: Possible injection of additional mount options by manipulating the domain parameters of the samba URL https://bugzilla.redhat.com/show_bug.cgi?id=1595569 [ 3 ] Bug #1595567 - CVE-2018-12560 cantata: Directory traversal in the D-Bus service of cantata-mounter https://bugzilla.redhat.com/show_bug.cgi?id=1595567 [ 4 ] Bug #1595566 - CVE-2018-12559 cantata: Directory traversal due to insufficient mount target check in mounter.cpp https://bugzilla.redhat.com/show_bug.cgi?id=1595566 su -c 'dnf upgrade --advisory FEDORA-2018-9296823b6c' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GKSK32KTXLRRNHWZF5XFWRMJ24A33OSM/
Change Log
References