A security flaw in terminology has been found, CVE-2018-20167. A more complete explanation can be found in the phab report. This has been fixed upstream and I have rebuilt the deb files for BL 5.0.

I haven't had time to look into whether or not it is feasible to backport this patch to earlier versions of Bodhi linux. Note: we usually do not update prior releases of BL repos as we recommend Bodhi users to update to the latest version and simply lack manpower to focus on previous releases. But if I do find it is possible to patch terminology in BL 4.x or even 3.x, I will do so. Just give me some time.

But it is highly recommended Bodhi linux 5.0 users update terminology to the latest version.

thank you for the heads-up

Updated, thx Robert

1 members found this post helpful.

Yet another terminology update, seems the security patch broke a key Terminology functionality: clicking on hyperlinks ceased to function. Please update again to Terminology 1.3.2.

1 members found this post helpful.

thanks ylee. does update and dist-upgrade work to fix this issue? or is there another method to install fixed packages?

1 members found this post helpful.

yes and yes. lol

update and upgrade is fine, you can also update and simply install terminology. If there is a new version apt-get install will install the latest version no --reinstall option needed. There are other ways but lets leave it at that.

2 members found this post helpful.

thanks - will do it now. i thought so but you guys know how little i know.

1 members found this post helpful.

Naively applying this security patch to the code for Terminology in BL 4.5, results in terminology segfaulting on certain operations. I can't use the same version I added to BL 5.0 because BL 4.5 has to old of a version of EFL. Perhaps I could debug this and fix it but I am opting to leave it as is and not update terminology in BL 4.5 for now. I am several days behind now on Bodhi related tasks and I know stefan is waiting for me to update 6 or so deb files for him. So this choice is me rationing what time I have for Bodhi related tasks.

If any Bodhi linux 4.5 users want to pick this problem up and try to solve it, go for it. Email me for more details on what I have tried and what info I have on the segfaults. Other than that I recommend BL 4.5 users to update to 5.0 if possible. If not wither use another terminal or use terminology responsibly and aware of this security bug. The latter is certainly possibly if you understand the nature of this bug.

THanks for hopefully understanding

2 members found this post helpful.

Hi,

I'm running Bodhi 5.0

An apt-get update and upgrade tel me that I already have the latest terminology version 1.2.1bodhi1-1

Any suggestion?

Thankyou

did you try "apt-get dist-upgrade" or "apt full-upgrade"?

Hi,

I did try apt-get dist-upgrade and apt full-upgrade without success.

'apt-cache policy terminology' tels me installed version is latest available: 1.2.1bodhi1-1

That's odd. I did apt update and apt full-upgrade (I hadn't upgraded in a while) and now I'm at 1.3.2

same here on my daily laptop but have not checked my office one or my wife's. i imagine they too should be ok.

Sounds like you did not run sudo apt-get update first.

1 members found this post helpful.

Hi,

I found the problem:

In the sources.list file, the 'deb [trusted=yes] http://packages.bodhilinux.com/bodhi bionic b5main' line was commented out with a #.

After removing the # sign and performing an apt-get update and upgrade, I now have terminology 1.3.2

Thank you all!

1 members found this post helpful.