| Summary: | tntnet new security issue CVE-2013-7299 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | anssi.hannula, cmrisolde, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | Security, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/584268/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK mga4-32-ok advisory | ||
| Source RPM: | tntnet-2.2-2.mga4.src.rpm | CVE: | CVE-2013-7299 |
| Status comment: | |||
|
Description
David Walser
2014-02-05 19:31:11 CET
David Walser
2014-02-05 19:31:18 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Advisory: ============ A flaw in Tntnet allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests. This update fixes the vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299 ============ Updated packages in mga3+mga4 core/updates_testing and cauldron core/release. Source packages: tntnet-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 Binary packages: tntnet-2.1-2.1.mga3 tntnet-demos-2.1-2.1.mga3 lib64tntnet10-2.1-2.1.mga3 lib64tntnet-devel-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 tntnet-demos-2.2-2.1.mga4 lib64tntnet11-2.2-2.1.mga4 lib64tntnet-devel-2.2-2.1.mga4 Keywords:
(none) =>
Security Thanks Anssi! Just making some formatting changes. Advisory: ======================== Updated tntnet packages fix security vulnerability: A flaw in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests (CVE-2013-7299). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127746.html ======================== Updated packages in core/updates_testing: ======================== tntnet-2.1-2.1.mga3 tntnet-demos-2.1-2.1.mga3 libtntnet10-2.1-2.1.mga3 libtntnet-devel-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 tntnet-demos-2.2-2.1.mga4 libtntnet11-2.2-2.1.mga4 libtntnet-devel-2.2-2.1.mga4 from SRPMS: tntnet-2.1-2.1.mga3.src.rpm tntnet-2.2-2.1.mga4.src.rpm Version:
Cauldron =>
4 Procedure: Follow "How to create your first web application" from http://www.tntnet.org/quick-start-guide.html ---------------------- To create a web application it is necessary to create some initial project files. This is achieved by executing tntnet-config: tntnet-config --project=myfirstproject This creates: a directory "myfirstproject" a source file "myfirstproject.ecpp" containing your application a configurationfile "tntnet.xml" a Makefile To build and execute your first enter the following commands: cd myfirstproject make tntnet Now you can start your web browser and navigate to http://localhost:8000/myfirstproject. You can see the result of your first running tntnet application, which prints the name of the application. ---------------------- Testing mga3 64 The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you confirm this is correct Anssi please? $ urpmf tntnet-config lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config lib64tntnet-devel:/usr/bin/tntnet-config lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure feedback It is debatable, but I think it is OK. IIRC Tntnet web applications are C++ software compiled against Tntnet, so you need the -devel package to build them. Debian and Fedora also have tntnet-config in -devel. Whiteboard:
MGA3TOO has_procedure feedback =>
MGA3TOO has_procedure Testing complete mga3 32 & 64 Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Advisory uploaded. CC:
(none) =>
stormi tntnet requires libcxxtools (bug 12691) so both can be tested together. (In reply to claire robinson from comment #4) > Testing mga3 64 > > The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you > confirm this is correct Anssi please? > > $ urpmf tntnet-config > lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config > lib64tntnet-devel:/usr/bin/tntnet-config > lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz And a require/suggest for gcc-c++ g++ -I/usr/include -fPIC -O2 -c -o myfirstproject.o myfirstproject.cpp make: g++: commande introuvable Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK advisory Tested Mga3 32-bit, worked as expected before and after update. So that seems to complete testing for this one. Update validated. See comment 2 for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Keywords:
(none) =>
validated_update (In reply to Carolyn Rowse from comment #10) > See comment 2 for advisory and SRPM. > Actually the advisory was already uploaded to SVN. Update pushed: http://advisories.mageia.org/MGASA-2014-0072.html Status:
ASSIGNED =>
RESOLVED |