Bug 11147

Summary: php-pear-Auth_OpenID new security issue CVE-2013-4701
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, oe, sysadmin-bugs, thomas
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/565573/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: php-pear-Auth_OpenID-2.1.2-5.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-04 02:26:54 CEST 
Fedora has issued an advisory on August 24:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html

Fedora has a patch, and a link to the upstream commit to fix it in bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=999687

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-04 02:27:03 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Oden Eriksson 2013-09-04 10:27:08 CEST 
php-pear-Auth_OpenID-2.2.2-1.mga2, php-pear-Auth_OpenID-2.2.2-1.mga3 and php-pear-Auth_OpenID-2.2.2-1.mga4 has been submitted where this is fixed.

CC: (none) => oe

Comment 2 David Walser 2013-09-04 16:08:14 CEST 
Thanks Oden!

Advisory:
========================

Updated php-pear-Auth_OpenID packages fix security vulnerability:

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote
attackers to read arbitrary files, send HTTP requests to intranet servers, or
cause a denial of service (CPU and memory consumption) via XRDS data containing
an external entity declaration in conjunction with an entity reference, related
to an XML External Entity (XXE) issue (CVE-2013-4701).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4701
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html
========================

Updated packages in core/updates_testing:
========================
php-pear-Auth_OpenID-2.2.2-1.mga2
php-pear-Auth_OpenID-2.2.2-1.mga3

from SRPMS:
php-pear-Auth_OpenID-2.2.2-1.mga2.src.rpm
php-pear-Auth_OpenID-2.2.2-1.mga3.src.rpm

CC: (none) => thomas
Version: Cauldron => 3
Assignee: thomas => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 Dave Hodgins 2013-09-06 00:46:26 CEST 
As discussed with David Walser on irc, just testing that it installs cleanly.

Advisory 11147.adv committed to svn.

Someone from the sysadmin team please push 11147.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Nicolas Vigier 2013-09-13 22:18:52 CEST 
http://advisories.mageia.org/MGASA-2013-0272.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:46 CEST

CC: boklm => (none)