Hi Philippe, On Tue, Feb 21, 2023 at 9:15 AM Philippe Mathieu-Daudé <phi...@linaro.org> wrote: > > On 20/2/23 18:41, Konstantin Kostiuk wrote: > > resolves: rhbz#2167436 > > "You are not authorized to access bug #2167436."
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=2167423. It should now be accessible. > > fixes: CVE-2023-0664 > > This commit description is rather scarce... > > I understand you are trying to fix a CVE, but we shouldn't play > the "security by obscurity" card. How can the community and > distributions know this security fix is enough with the bare > "Remove change action from MSI installer" justification? > Can't we do better? CCing Brian Wiltse, who originally found and reported this issue. Reported-by: Brian Wiltse <brian.wil...@live.com> > > Signed-off-by: Konstantin Kostiuk <kkost...@redhat.com> > > --- > > qga/installer/qemu-ga.wxs | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs > > index 51340f7ecc..feb629ec47 100644 > > --- a/qga/installer/qemu-ga.wxs > > +++ b/qga/installer/qemu-ga.wxs > > @@ -31,6 +31,7 @@ > > /> > > <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" > > EmbedCab="yes" /> > > <Property Id="WHSLogo">1</Property> > > + <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" /> > > <MajorUpgrade > > DowngradeErrorMessage="Error: A newer version of QEMU guest agent > > is already installed." > > /> > > -- > > 2.25.1 > > > > > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0