| Summary: | plasma-nm does not perform VPN certificate verification | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lmenut, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/626419/ | ||
| Whiteboard: | advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | plasma-nm-0.9.3.2-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-15 21:55:54 CET
David Walser
2014-12-15 21:56:03 CET
Whiteboard:
(none) =>
MGA4TOO (In reply to David Walser from comment #0) > Fedora has issued an advisory on November 7: > https://lists.fedoraproject.org/pipermail/package-announce/2014-December/ > 145190.html The Fedora update to Plasma-nm 0.9.3.5 release is not related to this vulnerability. This is https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html > > They also did the same for plasma-networkmanagement, but as far as I can > tell, we don't have that packaged. > > I'm not sure if plasma5-nm is affected, but it probably is. yep, probably, but unfortunately they forgot to push the fix in the branch Plasma/5.1 that is used to make the upcoming Plasma 5.1.2 :-( > > Fedora has added upstream patches to fix this, and the upstream bug links > git commits: > http://pkgs.fedoraproject.org/cgit/kde-plasma-nm.git/commit/ > ?h=f20&id=70e3d766e0acff18e49fabc8b6041018902bb95b > https://bugs.kde.org/show_bug.cgi?id=341069 > > Mageia 4 is also affected. > > Reproducible: > > Steps to Reproduce: Hardware:
i586 =>
All Oops, I did indeed use the wrong Fedora link. It is indeed this one from December 4: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html Sorry about that. I thought that date looked wrong. plasma-nm and plasma5-nm are fixed in Cauldron with - plasma-nm-0.9.3.5-2.mga5 (upstream patches from branch 0.9.3), - plasma5-nm-5.1.2-2.mga5 (upstream patches from branch master). Whiteboard:
MGA4TOO =>
(none) Suggested advisory: Updated plasma-applet-nm packages add OpenVPN option for server certificate verification Plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. This update add option to the OpenVPN plugin for server certificate verification. References: https://bugs.mageia.org/show_bug.cgi?id=14812 https://bugs.kde.org/show_bug.cgi?id=341069 http://lwn.net/Vulnerabilities/626419 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html src.rpm: plasma-nm-0.9.3.2-1.1.mga4.src.rpm packages for i586: plasma-applet-nm-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-openconnect-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-openvpn-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-pptp-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-vpnc-0.9.3.2-1.1.mga4.i586.rpm packages for x86_64: plasma-applet-nm-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-openconnect-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-openvpn-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-pptp-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-vpnc-0.9.3.2-1.1.mga4.x86_64.rpm CC:
(none) =>
lmenut MGA4-64 on HP Probook 6555b KDE and MGA-32 on Acer D620 Xfce. No installation issues. CC:
(none) =>
herman.viaene Validating. Advisory uploaded. Please push to updates Thanks CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0560.html Status:
NEW =>
RESOLVED |