Bug 16588

Summary: conntrack-tools new DoS security issue (CVE-2015-6496)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/655115/
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
Source RPM: conntrack-tools-1.4.2-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-08-14 18:29:58 CEST 
A CVE has been requested for an issue fixed upstream in conntrack-tools:
http://openwall.com/lists/oss-security/2015/08/14/4

The upstream bug and commit to fix the issue are linked in the message above.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-14 18:30:05 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-08-18 16:01:58 CEST 
CVE-2015-6496 has been assigned:
http://openwall.com/lists/oss-security/2015/08/18/1

Summary: conntrack-tools new DoS security issue => conntrack-tools new DoS security issue (CVE-2015-6496)

Comment 2 David Walser 2015-08-20 20:12:23 CEST 
Debian has issued an advisory for this today (August 20):
https://www.debian.org/security/2015/dsa-3341

URL: (none) => http://lwn.net/Vulnerabilities/655115/

Comment 3 David Walser 2015-09-02 20:54:20 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated conntrack-tools packages fix security vulnerability:

It was discovered that in certain configurations, if the relevant conntrack
kernel module is not loaded, conntrackd will crash when handling DCCP, SCTP or
ICMPv6 packets (CVE-2015-6496).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6496
https://www.debian.org/security/2015/dsa-3341
========================

Updated packages in core/updates_testing:
========================
conntrack-tools-1.4.2-2.1.mga4
conntrack-tools-1.4.2-6.1.mga5

from SRPMS:
conntrack-tools-1.4.2-2.1.mga4.src.rpm
conntrack-tools-1.4.2-6.1.mga5.src.rpm

CC: (none) => mageia
Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 4 William Kenney 2015-09-09 19:23:21 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
conntrack-tools

default conntrack-tools of conntrack-tools

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-2.mga4.i586 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

install conntrack-tools from updates_testing

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-2.1.mga4.i586 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

CC: (none) => wilcal.int
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Comment 5 William Kenney 2015-09-09 19:37:07 CEST 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
conntrack-tools

default conntrack-tools of conntrack-tools

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-2.mga4.x86_64 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

install conntrack-tools from updates_testing

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-2.1.mga4.x86_64 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )
William Kenney 2015-09-09 19:37:23 CEST

Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK

Comment 6 William Kenney 2015-09-09 19:49:09 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
conntrack-tools

default conntrack-tools of conntrack-tools

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-6.mga5.i586 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

install conntrack-tools from updates_testing

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-6.1.mga5.i586 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )
William Kenney 2015-09-09 19:49:27 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 7 William Kenney 2015-09-09 20:00:05 CEST 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
conntrack-tools

default conntrack-tools of conntrack-tools

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-6.mga5.x86_64 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

install conntrack-tools from updates_testing

[root@localhost wilcal]# urpmi conntrack-tools
Package conntrack-tools-1.4.2-6.1.mga5.x86_64 is already installed

[root@localhost wilcal]# conntrack -S  ( status responding )

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 8 William Kenney 2015-09-09 20:01:56 CEST 
This update works fine.
conntrack-tools installs cleanly, responds with its status,
updates cleanly then responds again with its status.
I don't wanna become an expert on how this works. Sooo..
Testing complete for MGA4 & MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2015-09-13 22:29:00 CEST 
Advisory uploaded.

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 10 Mageia Robot 2015-09-13 23:59:32 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0363.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED