Bug 14175

Summary: not-yet-commons-ssl new security issue CVE-2014-3604
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, mageia, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/613190/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Source RPM: not-yet-commons-ssl-0.3.11-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-09-25 21:20:19 CEST 
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-25 21:20:25 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:07:20 CET 
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:53:08 CET 
Still gone from Cauldron for now (thankfully).

In Mageia 4 SVN it's updated to 0.3.15 to fix this and synced with Fedora 20.
Comment 3 David Walser 2014-12-24 23:43:35 CET 
Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated not-yet-commons-ssl packages fixes security vulnerability:

It was discovered that the implementation used by the Not Yet Commons SSL
project to check that the server hostname matches the domain name in the
subject's CN field was flawed. This can be exploited by a Man-in-the-middle
(MITM) attack, where the attacker can spoof a valid certificate using a
specially crafted subject (CVE-2014-3604).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3604
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html
========================

Updated package in core/updates_testing:
========================
not-yet-commons-ssl-0.3.15-1.mga4
not-yet-commons-ssl-javadoc-0.3.15-1.mga4

from not-yet-commons-ssl-0.3.15-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 olivier charles 2014-12-25 21:54:32 CET 
Testing on Mageia 4x32 real hardware.

First installed current packages :
not-yet-commons-ssl-0.3.11-4.mga4
not-yet-commons-ssl-javadoc-0.3.11-4.mga4

Then updated to testing packages :
not-yet-commons-ssl-0.3.15-1.mga4
not-yet-commons-ssl-javadoc-0.3.15-1.mga4

No problem detected during installation.

CC: (none) => olchal
Whiteboard: (none) => MGA4-32-OK

Comment 5 Herman Viaene 2014-12-26 09:37:00 CET 
MGA4-64 on HP Probook 6555b
No installation issues.

CC: (none) => herman.viaene

claire robinson 2014-12-26 10:42:18 CET

Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2014-12-26 10:48:40 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2014-12-26 18:05:51 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0551.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED