| Summary: | networkmanager new security issue CVE-2016-0764 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, makowski.mageia, marja11, sysadmin-bugs, tmb |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/688456/ | ||
| Whiteboard: | has_procedure advisory mga5-64-ok | ||
| Source RPM: | networkmanager-1.0.2-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 18477 | ||
| Bug Blocks: | |||
|
Description
David Walser
2016-04-04 23:38:52 CEST
Olav Vitters
2016-04-05 20:34:24 CEST
Assignee:
olav =>
bugsquad Assigning to all packagers collectively, since there is no maintainer for this package. CC:
(none) =>
marja11 Well! done for 1.0.12 upstream release: Packages in 5/core/updates_testing: ======================== networkmanager-1.0.12-1.mga5.i586.rpm networkmanager-tui-1.0.12-1.mga5.i586.rpm libnm0-1.0.12-1.mga5.i586.rpm libnm-devel-1.0.12-1.mga5.i586.rpm libnm-util2-1.0.12-1.mga5.i586.rpm libnetworkmanager-gir1.0-1.0.12-1.mga5.i586.rpm libnm-util-devel-1.0.12-1.mga5.i586.rpm libnm-glib4-1.0.12-1.mga5.i586.rpm libnmclient-gir1.0-1.0.12-1.mga5.i586.rpm libnm-glib-devel-1.0.12-1.mga5.i586.rpm libnm-glib-vpn1-1.0.12-1.mga5.i586.rpm libnm-glib-vpn-devel-1.0.12-1.mga5.i586.rpm networkmanager-1.0.12-1.mga5.x86_64.rpm networkmanager-tui-1.0.12-1.mga5.x86_64.rpm lib64nm0-1.0.12-1.mga5.x86_64.rpm lib64nm-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-util2-1.0.12-1.mga5.x86_64.rpm lib64networkmanager-gir1.0-1.0.12-1.mga5.x86_64.rpm lib64nm-util-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-glib4-1.0.12-1.mga5.x86_64.rpm lib64nmclient-gir1.0-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-vpn1-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-vpn-devel-1.0.12-1.mga5.x86_64.rpm Source RPM: ======================== networkmanager-1.0.12-1.mga5.src.rpm CC:
(none) =>
geiger.david68210 Thanks David! Here's a preliminary advisory. Do any other networkmanager-* SRPMS need to be updated too? Advisory: ======================== Updated networkmanager package fixes security vulnerability: NetworkManager before 1.0.12 is vulnerable to a race condition that could lead to a local information leak (CVE-2016-0764). The networkmanager package has been updated to version 1.0.12, which fixes this issue and several other bugs. See the upstream NEWS file for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0764 https://mail.gnome.org/archives/networkmanager-list/2016-April/msg00000.html https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181143.html 1.0.12 regresses on some wireless drivers https://bugzilla.gnome.org/show_bug.cgi?id=763388 CC:
(none) =>
tmb the patch is here : https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=0f6febc6fbeafde62e6e0a8c12f57204d94166f CC:
(none) =>
makowski.mageia So there is a new set of updated packages with the mentioned patch by Philippe in comment 5 Packages in 5/core/updates_testing: ======================== networkmanager-1.0.12-1.1.mga5 networkmanager-tui-1.0.12-1.1.mga5 libnm0-1.0.12-1.1.mga5 libnm-devel-1.0.12-1.1.mga5 libnm-util2-1.0.12-1.1.mga5 libnetworkmanager-gir1.0-1.0.12-1.1.mga5 libnm-util-devel-1.0.12-1.1.mga5 libnm-glib4-1.0.12-1.1.mga5 libnmclient-gir1.0-1.0.12-1.1.mga5 libnm-glib-devel-1.0.12-1.1.mga5 libnm-glib-vpn1-1.0.12-1.1.mga5 libnm-glib-vpn-devel-1.0.12-1.1.mga5 lib64nm0-1.0.12-1.1.mga5 lib64nm-devel-1.0.12-1.1.mga5 lib64nm-util2-1.0.12-1.1.mga5 lib64networkmanager-gir1.0-1.0.12-1.1.mga5 lib64nm-util-devel-1.0.12-1.1.mga5 lib64nm-glib4-1.0.12-1.1.mga5 lib64nmclient-gir1.0-1.0.12-1.1.mga5 lib64nm-glib-devel-1.0.12-1.1.mga5 lib64nm-glib-vpn1-1.0.12-1.1.mga5 lib64nm-glib-vpn-devel-1.0.12-1.1.mga5 Source RPM: ======================== networkmanager-1.0.12-1.1.mga5.src.rpm Is this ready for QA, or do the other networkmanager packages need to be updated to 1.0.12 too? I would says yes it is ready for QA, others networkmanager packages seems to be not affected. There is another issue affecting networkmanager through the libndp library: http://openwall.com/lists/oss-security/2016/05/17/9 https://rhn.redhat.com/errata/RHSA-2016-1086.html (CVE-2016-3698)
David Walser
2016-05-17 21:35:00 CEST
Depends on:
(none) =>
18477 Testing complete mga5 64 See here for how to switch to networkmanager. https://forums.mageia.org/en/viewtopic.php?f=25&t=5782 I use NM on my laptop, it seems better at managing multiple networks. Installed updates & rebooted to ensure network was started from cold. Accessed using nm-applet and also checked nmtui in a terminal which gives a useful curses interface. Whiteboard:
(none) =>
has_procedure mga5-64-ok
claire robinson
2016-05-21 21:24:20 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0195.html Status:
NEW =>
RESOLVED
David Walser
2016-05-23 20:22:45 CEST
URL:
http://lwn.net/Vulnerabilities/682388/ =>
http://lwn.net/Vulnerabilities/688456/ |