| Summary: | polarssl new security issues CVE-2014-8627 and CVE-2014-8628 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | oe, olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/622002/ | ||
| Whiteboard: | MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK advisory | ||
| Source RPM: | polarssl-1.3.8-3.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-11-06 14:06:43 CET
David Walser
2014-11-06 14:06:51 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Freeze push requested for Cauldron. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated polarssl packages fix security vulnerability: A regression in PolarSSL 1.3.8 resulted in servers negotiating a weaker signature algorithm than available. This has been fixed in PolarSSL 1.3.9 (CVE-2014-8627). Two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in PolarSSL 1.3.9 (CVE-2014-8628). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8628 https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released http://openwall.com/lists/oss-security/2014/11/06/4 ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.9-1.mga3 libpolarssl7-1.3.9-1.mga3 libpolarssl-devel-1.3.9-1.mga3 polarssl-1.3.9-1.mga4 libpolarssl7-1.3.9-1.mga4 libpolarssl-devel-1.3.9-1.mga4 from SRPMS: polarssl-1.3.9-1.mga3.src.rpm polarssl-1.3.9-1.mga4.src.rpm CC:
(none) =>
oe Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11459#c7 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Tested Mageia 3 i586 and Mageia 4 i586 using Claire's procedure from Comment 2. pdns worked fine. polarssl-selftest passed all of the tests. On Mageia 4, the first few times I ran it the TIMING test #3 (hardclock) failed, both with polarssl 1.3.8 and 1.3.9, but the last time I ran it with 1.3.9 it passed. On Mageia 3 it always passed. Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK Advisory uploaded. CC:
(none) =>
remi OpenSuSE has issued an advisory for this today (November 19): http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html URL:
(none) =>
http://lwn.net/Vulnerabilities/622002/ Testing on Mageia 3-64 real HW Using procedure mentionned in Comment 2 Current packages : ---------------- # rpm -q polarssl polarssl-1.3.8-1.mga3 # polarssl-selftest [ All tests passed ] In pdns.conf set listen on port 5300 (local-port=5300 at the end of the file) # dig www.example.com A @127.0.0.1 -p 5300 gave expected results Stopped pdns service Updated to testing packages : --------------------------- - lib64polarssl-devel-1.3.9-1.mga3.x86_64 - lib64polarssl7-1.3.9-1.mga3.x86_64 - polarssl-1.3.9-1.mga3.x86_64 polarssl-selftest => all tests passed Started pdns service # dig www.example.com A @127.0.0.1 -p 5300 gave expected results MGA3-64 passed. CC:
(none) =>
olchal Validating, it's been well tested already. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0481.html Status:
NEW =>
RESOLVED |