| Summary: | perl-LWP-Protocol-https new security issue CVE-2014-3230 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | jquelin, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/599970/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | perl-LWP-Protocol-https-6.40.0-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-05-22 18:02:11 CEST
David Walser
2014-05-22 18:02:18 CEST
Whiteboard:
(none) =>
MGA4TOO The RedHat bug said that versions prior to 6.04 were not affected, but OpenSuSE released an update for 6.03 (which we have in Mageia 3) for OpenSuSE 12.3 for this, so it may be affected: http://lists.opensuse.org/opensuse-updates/2014-05/msg00072.html cauldron updated. perl-LWP-Protocol-https-6.40.0-2.1.mga4 available in core/updates_testing we shouldn't need the IO::Socket::SSL patch, it's only needed for versions priori to 1.950, while we should have 1.955 in mga4. Proposed advisory (taken from redhat): ================ This release fixes a server certification validation when a certificate authority is defined by HTTPS_CA_DIR or HTTPS_CA_FILE environement variable. ================ please test & validate. CC:
(none) =>
jquelin *** Bug 13340 has been marked as a duplicate of this bug. *** Thanks Jerome. Do you have any idea about whether an update for Mageia 3 is necessary, given Comment 1? If so, the IO::Socket::SSL patch would be needed there. Given that Debian, who found the bug + proposed the patch, only talks about 6.04 (and never ever mention 6.03), I'd say that we're good. (Note that I didn't look at the code itself, neither at the patch.) (In reply to David Walser from comment #4) > Thanks Jerome. Do you have any idea about whether an update for Mageia 3 is > necessary, given Comment 1? If so, the IO::Socket::SSL patch would be > needed there. All the information I can find says only 6.04 and newer are affected. I downloaded the SRPM for the OpenSuSE 12.3 update and it looks like it's not actually a CVE fix, just updating that OpenSuSE release from 6.02 to 6.03. Advisory: ======================== Updated perl-LWP-Protocol-https package fixes security vulnerability: It was reported that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification, when the intent was to only disable hostname verification (CVE-2014-3230). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3230 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133535.html ======================== Updated packages in core/updates_testing: ======================== perl-LWP-Protocol-https-6.40.0-2.1.mga4 from perl-LWP-Protocol-https-6.40.0-2.1.mga4.src.rpm Version:
Cauldron =>
4 Testing complete mga4 32 & 64 using the test case attached here: https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Before ------ $ perl testcase.pl ... runs it's tests and ends with message ... # Looks like you failed 1 test of 16. It actually failed on test 10.. not ok 10 - variable to wrong CA should fail: 200 Ok After ----- $ perl testcase.pl ... runs it's tests and ends without any failure message. Test 10 now shows.. ok 10 - variable to wrong CA should fail: 500 Can't connect to 127.0.0.1:36272 (certificate verify failed) Whiteboard:
(none) =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0257.html Status:
NEW =>
RESOLVED |