| Summary: | perl-Crypt-DSA new security issue CVE-2011-3599 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/566719/ | ||
| Whiteboard: | MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-64-OK MGA3-32-OK | ||
| Source RPM: | perl-Crypt-DSA-1.170.0-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | perl script for testing perl-Crypt-DSA | ||
|
Description
David Walser
2013-09-13 18:16:24 CEST
David Walser
2013-09-13 18:16:30 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO I have uploaded patched packages for Mageia 2 and 3. No idea how to test it. Suggested advisory: ======================== The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack. This update removes the fallback to Data::Random. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599 http://lwn.net/Vulnerabilities/566719/ ======================== Updated packages in core/updates_testing: ======================== Mageia 3: perl-Crypt-DSA-1.170.0-2.1.mga3.noarch.rpm Source RPM: perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm Mageia 2: perl-Crypt-DSA-1.170.0-1.1.mga2.noarch.rpm Source RPM: perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm CC:
(none) =>
mageia Thanks Sander! Just making some minor formatting changes to the advisory. Suggested advisory: ======================== The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack (CVE-2011-3599). This update removes the fallback to Data::Random. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html ======================== Updated packages in core/updates_testing: ======================== perl-Crypt-DSA-1.170.0-1.1.mga2 perl-Crypt-DSA-1.170.0-2.1.mga3 Source RPMs: perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm Advisory 11226.adv committed to svn. CC:
(none) =>
davidwhodgins Created attachment 4373 [details]
perl script for testing perl-Crypt-DSA
Testing complete on Mageia 2 i586. Before the update, after temporarily renaming /dev/random and /dev/urandom) Script fails with Can't locate Data/Random.pm. After the update it fails with makerandom requires /dev/random. After renaming /dev/random and urandom back to normal, the script works. Note that there is no output. Using strace output to verify it's working. I'll test x86_64 and Mageia 3 shortly. Whiteboard:
MGA2TOO =>
MGA2TOO MGA2-32-OK Testing complete. Someone from the sysadmin team please push 11226.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0289.html Status:
NEW =>
RESOLVED |