Bug 13914

Summary: serf new security issue CVE-2014-3504
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/608737/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga4-64-ok
Source RPM: serf-1.3.2-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-15 18:18:42 CEST 
Ubuntu has issued an advisory on August 14:
http://www.ubuntu.com/usn/usn-2315-1/

The issue was fixed upstream in 1.3.7, just uploaded in Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated serf packages fix security vulnerability:

Ben Reser discovered that serf did not correctly handle SSL certificates
with NUL bytes in the CommonName or SubjectAltNames fields. A remote
attacker could exploit this to perform a man in the middle attack to view
sensitive information or alter encrypted communications (CVE-2014-3504).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504
http://www.ubuntu.com/usn/usn-2315-1/
========================

Updated packages in core/updates_testing:
========================
libserf0-1.1.1-2.1.mga3
libserf-devel-1.1.1-2.1.mga3
libserf1-1.3.2-2.1.mga4
libserf-devel-1.3.2-2.1.mga4

from SRPMS:
serf-1.1.1-2.1.mga3.src.rpm
serf-1.3.2-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-15 18:18:48 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-08-17 21:47:33 CEST 
The description of *this* thing:
"The serf library is a C-based HTTP client library built upon the Apache Portable Runtime (APR) library. It multiplexes connections, running the read/write communication asynchronously. Memory copies and transformations are kept to a minimum to provide high performance operation."
Home page http://code.google.com/p/serf/
should not be confused with http://www.serfdom.io/intro/ :
"What is Serf?
Serf is a tool for cluster membership, failure detection, and orchestration that is decentralized, fault-tolerant and highly available." Beware.

CC: (none) => lewyssmith

Comment 2 David Walser 2014-08-17 22:57:01 CEST 
I think the bottom line for this one is that nothing uses it in Mageia 3 (so just make sure it installs fine) and subversion uses it in Mageia 4 (so validate this one along with the subversion update).
Comment 3 claire robinson 2014-08-26 15:16:15 CEST 
Testing complete mga4 64

The serf binary is not provided, only the library, so this is really the best testing we can do in this case.

$ strace -o ~/strace.out svn up
Updating '.':
At revision 1880.

$ grep serf ~/strace.out
open("/usr/lib64/libsvn_ra_serf-1.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libserf-1.so.1", O_RDONLY|O_CLOEXEC) = 3

Shows the library being used..

$ urpmf /usr/lib64/libserf-1.so.1
lib64serf1:/usr/lib64/libserf-1.so.1
lib64serf1:/usr/lib64/libserf-1.so.1.3.0

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 4 claire robinson 2014-08-26 16:06:16 CEST 
Testing complete mga3 32, 

# urpmq --whatrequires libserf0
libserf-devel
libserf0

As the lib is not used by any packages in mga3, just ensuring the update applies cleanly.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 5 claire robinson 2014-08-26 16:20:32 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-08-27 01:05:28 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0353.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED