Bug 22037

Summary: shadowsocks-libev new security issue CVE-2017-15924
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, eatdirt, olav, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: shadowsocks-libev-2.4.3-5.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-15 23:26:41 CET 
Debian has issued an advisory on October 29:
https://www.debian.org/security/2017/dsa-4009

openSUSE has issued an advisory for this today (November 15):
https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html

Somehow I missed this before (I probably thought we didn't have this package).

Mageia 6 is also affected.
David Walser 2017-11-15 23:26:47 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Chris Denice 2017-11-16 11:21:25 CET 
Thanks guys for the assignment :)

I am ok to have a look, but the official maintainer is ovitters!

I am pushing an update on Cauldron, because the current version is old and not building anymore.

But for mga6, it would be better if Olav could have a look, I don't want to break too much stuff!

Let me know,
Cheers.

CC: (none) => olav

Comment 2 Chris Denice 2017-11-21 21:08:40 CET 
It seems that this is an orphan package on mga6:

urpmq --whatrequires shadowsocks-libev
shadowsocks-libev

urpmq --whatrequires  lib64shadowsocks1
lib64shadowsocks-devel
lib64shadowsocks1

Easiest way would be for me to push for mga6 the same version as the one I have pushed on Cauldron 3.0.1 + CVE patch, anyone seeing a problem?

Cheers.
Comment 3 Olav Vitters 2017-11-21 22:45:21 CET 
This is purely some leaf software to avoid restrictions on crappy networks. E.g. avoiding China firewall and so on. There's an app on Android that goes with it/

Please push same version!
Comment 4 Chris Denice 2017-11-24 22:01:11 CET 
Ok done, this is in update testing for mga6. An advisory follows. I have no idea how to test this package, so at least make sure that it installs correctly without any scriplet failing and without conflict with existing packages!





Advisory:
========================

Updated shadowsocks-libev packages to fix security vulnerability (CVE-2017-15924). An improper parsing could allow command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic.

References
==================
https://www.debian.org/security/2017/dsa-4009
https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html
https://security-tracker.debian.org/tracker/CVE-2017-15924

Updated packages in core/updates_testing:
========================
lib64shadowsocks2-3.1.0-1.mga6
lib64shadowsocks-devel-3.1.0-1.mga6
shadowsocks-libev-3.1.0-1.mga6

from SRPMS:
shadowsocks-libev-3.1.0-1.mga6

Assignee: eatdirt => qa-bugs
CC: (none) => eatdirt

David Walser 2017-11-24 22:07:46 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 Dave Hodgins 2017-11-30 19:14:13 CET 
Confirmed update installs cleanly on both arches. Advisory committed to svn.
Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2017-12-02 00:14:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0436.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED