| Summary: | mono new TLS implementation security vulnerabilities (CVE-2015-231[89], CVE-2015-2320) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | matteo.pasotti, rverschelde, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/637287/ | ||
| Whiteboard: | MGA4-64-OK has_procedure MGA4-32-OK advisory | ||
| Source RPM: | mono-3.12.0-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-07 17:33:33 CET
David Walser
2015-03-07 17:33:43 CET
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO mono-3.12.1-1.mga5 uploaded for Cauldron. Thanks Matteo! Version:
Cauldron =>
4 I'm on it (MGA4) I have uploaded a patched package for Mageia 4. This patched package fixes Mono's TLS stack vulnerabilities. Suggested advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed - SSLv2 support. These vulnerabilities affect basically every Mono version ever released. References: http://openwall.com/lists/oss-security/2015/03/07/2 https://gist.github.com/directhex/f8c6e67f551d8a608154 ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.1.mga4 Status:
ASSIGNED =>
NEW Before we assign to QA, why have you added this patch: https://gist.github.com/directhex/f8c6e67f551d8a608154 but not these?: https://gist.github.com/directhex/728af6f96d1b8c976659 https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b Assignee:
qa-bugs =>
matteo.pasotti I'm fixing it right now. David, mono-3.2.3-5.2.mga4 have been pushed to the bs. It should include all the needed fixes but check it, pls. I'll wait your feedback before assigning to qa. Looks good Matteo, thanks! Now we just need a complete advisory (I think the one from earlier just referred to the one patch). I have uploaded a patched package for Mageia 4. This patched package fixes Mono's TLS stack vulnerabilities and drops SSLv2 fallback (fixing some issues). Suggested advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed - SSLv2 support. These vulnerabilities affect basically every Mono version ever released. References: http://openwall.com/lists/oss-security/2015/03/07/2 https://gist.github.com/directhex/f8c6e67f551d8a608154 https://gist.github.com/directhex/728af6f96d1b8c976659 https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/mono-3.2.3-drop_sslv2_fallback.patch?revision=818477&view=co http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/patch3-2.6.7.patch?revision=818473&view=co http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/patch1-3.2.8.patch?revision=818428&view=co ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.2.mga4 Assignee:
matteo.pasotti =>
qa-bugs Thanks Matteo! Advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed, a vulnerability to a protocol downgrade attack and SSLv2 support still being available. References: http://openwall.com/lists/oss-security/2015/03/07/2 ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.2.mga4 mono-doc-3.2.3-5.2.mga4 libmono0-3.2.3-5.2.mga4 libmono2.0_1-3.2.3-5.2.mga4 mono-data-sqlite-3.2.3-5.2.mga4 libmono-devel-3.2.3-5.2.mga4 mono-winfxcore-3.2.3-5.2.mga4 mono-web-3.2.3-5.2.mga4 mono-data-oracle-3.2.3-5.2.mga4 mono-data-3.2.3-5.2.mga4 mono-extras-3.2.3-5.2.mga4 mono-ibm-data-db2-3.2.3-5.2.mga4 mono-winforms-3.2.3-5.2.mga4 mono-locale-extras-3.2.3-5.2.mga4 mono-data-postgresql-3.2.3-5.2.mga4 mono-nunit-3.2.3-5.2.mga4 monodoc-core-3.2.3-5.2.mga4 mono-rx-core-3.2.3-5.2.mga4 mono-rx-desktop-3.2.3-5.2.mga4 mono-wcf-3.2.3-5.2.mga4 from mono-3.2.3-5.2.mga4.src.rpm CC:
(none) =>
matteo.pasotti CVEs have been assigned: http://openwall.com/lists/oss-security/2015/03/17/9 Advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria (CVE-2015-2318). During checks on the TLS stack, they have discovered two further issues which have been fixed, a vulnerability to a protocol downgrade attack (CVE-2015-2319) and SSLv2 support still being available (CVE-2013-2320). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2318 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2320 http://openwall.com/lists/oss-security/2015/03/17/9 Summary:
mono new TLS implementation security vulnerabilities =>
mono new TLS implementation security vulnerabilities (CVE-2015-231[89], CVE-2015-2320) As discussed in the last QA meeting, a good way to test Mono is with the banshee music player. In this case, since the update impacts the TLS implementation, if there's a way to get banshee to connect to something (maybe a music service) via https, that would suffice.
David Walser
2015-03-19 16:47:45 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/637287/ Debian has issued an advisory for this on March 22: https://www.debian.org/security/2015/dsa-3202
RĂ©mi Verschelde
2015-04-04 12:55:03 CEST
CC:
(none) =>
remi (In reply to David Walser from comment #12) > As discussed in the last QA meeting, a good way to test Mono is with the > banshee music player. In this case, since the update impacts the TLS > implementation, if there's a way to get banshee to connect to something > (maybe a music service) via https, that would suffice. There doesn't appear to be. I tried to enqueue HTTPS URLs in Banshee and it refused to play them ("http://..." URLs worked fine). I also noticed it loads data from archive.org from "http://" URLs (According to what wireshark reported). Banshee otherwise works fine. CC:
(none) =>
shlomif (In reply to Shlomi Fish from comment #14) > (In reply to David Walser from comment #12) > > As discussed in the last QA meeting, a good way to test Mono is with the > > banshee music player. In this case, since the update impacts the TLS > > implementation, if there's a way to get banshee to connect to something > > (maybe a music service) via https, that would suffice. > > There doesn't appear to be. I tried to enqueue HTTPS URLs in Banshee and it > refused to play them ("http://..." URLs worked fine). I also noticed it > loads data from archive.org from "http://" URLs (According to what wireshark > reported). Banshee otherwise works fine. OK, Banshee is working on MGA4-i586 and MGA4-x86-64 VMs (without using https://). Tested an HTTP .ogg, an HTTP .mp3 and an Internet Archive stream. With the MGA4-i586 version there was a problem with playing .ogg files from remote locations - http://localhost/ .oggs and and remote .mp3s worked fine. Validating. Regards, -- Shlomi Fish Whiteboard:
has_procedure =>
MGA4-64-OK has_procedure MGA4-32-OK Thanks Shlomi Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0156.html Status:
NEW =>
RESOLVED |