| Summary: | polarssl new security issue CVE-2014-4911 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, oe, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/605927/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | polarssl-1.3.4-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-07-18 17:45:58 CEST
David Walser
2014-07-18 17:46:04 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Real DSA link: https://www.debian.org/security/2014/dsa-2981 Fixed with polarssl-1.3.8-1.mga3, polarssl-1.3.8-1.mga4 & polarssl-1.3.8-1.mga5. NOTE. pdns is being rebuilt due to a soname major bump from 5 to 7 in polarssl-1.3.8, so you need to push pdns as well. Thanks Oden! Advisory: ======================== Updated polarssl packages fix security vulnerability: A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS library, which can be exploited by a remote unauthenticated attacker to mount a denial of service against PolarSSL servers that offer GCM ciphersuites. Potentially clients are affected too if a malicious server decides to execute the denial of service attack against its clients (CVE-2014-4911). The pdns package has been rebuilt against the updated polarssl library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4911 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 https://polarssl.org/tech-updates/releases/polarssl-1.3.8-released https://www.debian.org/security/2014/dsa-2981 ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.8-1.mga3 libpolarssl7-1.3.8-1.mga3 libpolarssl-devel-1.3.8-1.mga3 pdns-3.3.1-1.3.mga3 pdns-backend-pipe-3.3.1-1.3.mga3 pdns-backend-mysql-3.3.1-1.3.mga3 pdns-backend-pgsql-3.3.1-1.3.mga3 pdns-backend-ldap-3.3.1-1.3.mga3 pdns-backend-sqlite-3.3.1-1.3.mga3 pdns-backend-geo-3.3.1-1.3.mga3 polarssl-1.3.8-1.mga4 libpolarssl7-1.3.8-1.mga4 libpolarssl-devel-1.3.8-1.mga4 pdns-3.3.1-2.2.mga4 pdns-backend-pipe-3.3.1-2.2.mga4 pdns-backend-mysql-3.3.1-2.2.mga4 pdns-backend-pgsql-3.3.1-2.2.mga4 pdns-backend-ldap-3.3.1-2.2.mga4 pdns-backend-sqlite-3.3.1-2.2.mga4 pdns-backend-geo-3.3.1-2.2.mga4 from SRPMS: polarssl-1.3.8-1.mga3.src.rpm pdns-3.3.1-1.3.mga3.src.rpm polarssl-1.3.8-1.mga4.src.rpm pdns-3.3.1-2.2.mga4.src.rpm CC:
(none) =>
oe Above link should be bug 11459 comment 7. Testing complete Mageia 4 32bit, following the procedure linked in comment 5. All tested passed with polarssl-selftest. I configured /etc/powerdns/pdns.conf with local-address=127.0.0.1 local-port=2000 The dig call gives: $ dig www.example.com A @127.0.0.1 -p 2000 ; <<>> DiG 9.9.4-P2 <<>> www.example.com A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7915 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;www.example.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: lun. août 04 21:41:33 CEST 2014 ;; MSG SIZE rcvd: 44 Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure MGA4-32-OK Testing complete Mageia 4 64bit. Whiteboard:
MGA3TOO has_procedure MGA4-32-OK =>
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK Advisory uploaded. Whiteboard:
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK =>
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory Testing complete mga3 64 # polarssl-selftest | tail PBKDF2 (SHA1) #5: passed TIMING tests note: will take some time! TIMING test #1 (m_sleep / get_timer): passed TIMING test #2 (set_alarm / get_timer): passed TIMING test #3 (hardclock / get_timer): passed TIMING test #4 (net_usleep/ get_timer): passed [ All tests passed ] Added these in /etc/powerdns/pdns.conf allow-recursion=127.0.0.1 local-address=0.0.0.0 local-port=2000 recursor=8.8.8.8 Start the service # service pdns start # dig mageia.org A @127.0.0.1 -p 2000 ; <<>> DiG 9.9.4-P2 <<>> mageia.org A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63464 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 866 IN A 217.70.188.116 ...etc Whiteboard:
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory =>
MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK advisory Testing complete mga3 32 Validating. Advisory already uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed. http://advisories.mageia.org/MGASA-2014-0315.html Status:
NEW =>
RESOLVED |