| Summary: | radicale new security issue CVE-2017-8342 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | eatdirt, herman.viaene, lewyssmith, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | radicale-1.1.1-1.1.mga5.src.rpm | CVE: | CVE-2017-8342 |
| Status comment: | |||
|
Description
David Walser
2017-05-01 01:50:47 CEST
David Walser
2017-05-01 01:50:56 CEST
Whiteboard:
(none) =>
MGA5TOO Fixed in cauldron CC:
(none) =>
mageia pushed in updates_testing src.rpm: radicale-1.1.1-1.2.mga5 Assignee:
jani.valimaa =>
qa-bugs Thanks Nicolas! Advisory: ======================== Updated radicale package fixes security vulnerability: Radicale before 1.1.2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method (CVE-2017-8342). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8342 http://openwall.com/lists/oss-security/2017/04/30/5 ======================== Updated packages in core/updates_testing: ======================== radicale-1.1.1-1.2.mga5 from radicale-1.1.1-1.2.mga5.src.rpm Has it been pushed to Cauldron? My version is still reading 1.1.1-4.mga6! CC:
(none) =>
eatdirt Index: SPECS/radicale.spec =================================================================== --- SPECS/radicale.spec (révision 1098165) +++ SPECS/radicale.spec (révision 1098166) @@ -3,7 +3,7 @@ Summary: Simple Calendar and Contact Server Name: radicale Version: 1.1.1 -Release: %mkrel 3 +Release: %mkrel 4 License: GPLv3+ Group: System/Servers URL: http://radicale.org/ @@ -13,6 +13,7 @@ Source3: radicale.tmpfiles # Patch0: config adjustments for systemwide installation Patch0: radicale-0.10-systemwide.patch +Patch1: radicale-1.1.1-CVE-2017-8342.patch BuildArch: noarch BuildRequires: python3-devel Requires(pre): rpm-helper >= %{rpmhelper_required_version} Indeed :) The changelog seems to be screwed in my case, I got confused. Thanks. Anyway, I am running it all the time, so I can confirm that the Cauldron version for x86_64 works perfectly fine! thanks. MGA5-32 on Acer A6000VM Xfce No installation issues Started radicale as root in CLI OK Following lead in bug 17452 comment 9, I could create a calendar in Thunderbird using radicale, and enter an item in the calendar. Whiteboard:
(none) =>
MGA5-32-OK
Lewis Smith
2017-05-10 19:12:24 CEST
Whiteboard:
MGA5-32-OK =>
MGA5-32-OK advisory Testing M5-64 I happily already had this installed & configured & tried (see https://bugs.mageia.org/show_bug.cgi?id=17452#c9 comments 9-11). The update was seamless to: radicale-1.1.1-1.2.mga5 Needed to start the radicale server subsequently. Evolution then worked quite well. I could add/view/edit an appointment, visible on the clander. Added a contact, they were all in evidence. Kontact half worked, but its (or my) failures were the same as previously. You seem to be able to add events, but they do not show on the calenders. However, they do via the 'summary' button. For contacts, you seem to be able to add one, but never see it subsequently in the address books. Notes can be added & seen. OKing this. Validating. Whiteboard:
MGA5-32-OK advisory =>
MGA5-32-OK advisory MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0140.html Resolution:
(none) =>
FIXED |