Bug 11808

Summary: quassel new security issue CVE-2013-6404
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575368/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: quassel-0.9.1-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-28 16:44:10 CET 
A CVE has been assigned for a security issue fixed in quassel 0.9.2:
http://www.openwall.com/lists/oss-security/2013/11/28/8

Information about the 0.9.2 release:
http://freecode.com/projects/quassel/releases/359566
http://quassel-irc.org/node/123

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-28 16:44:36 CET 
Freeze push requested for Cauldron.  Checked into SVN for Mageia 3.

Whiteboard: (none) => MGA3TOO

Comment 2 David Walser 2013-11-30 18:18:50 CET 
quassel-0.9.2-1.mga4 uploaded for Cauldron.  Mageia 3 update building now.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2013-11-30 18:26:53 CET 
Advisory:
========================

Updated quassel packages fix security vulnerability:

Security vulnerability in Quassel before 0.9.2 through which a manipulated, but
properly authenticated client was able to retrieve the backlog of other users
on the same core in some cases (CVE-2013-6404).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6404
http://freecode.com/projects/quassel/releases/359566
http://quassel-irc.org/node/123
http://www.openwall.com/lists/oss-security/2013/11/28/8
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.mga3
quassel-common-0.9.2-1.mga3
quassel-client-0.9.2-1.mga3
quassel-core-0.9.2-1.mga3

from quassel-0.9.2-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Dave Hodgins 2013-11-30 18:34:49 CET 
Advisory 11808.adv committed to svn. No poc provided, so just need to test that
the update works.

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Dave Hodgins 2013-11-30 20:00:48 CET 
Testing complete on Mageia 3 i586 and x86_64. Validating the update.

Someone from the sysadmin team please push 11808.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2013-11-30 22:49:19 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0362.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-12-02 16:46:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/575368/