| Summary: | mumble new security issue CVE-2018-20743 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bequimao.de, davidwhodgins, geiger.david68210, mhrambo3501, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | mumble-1.2.19-6.mga7.src.rpm | CVE: | |
| Status comment: | Patch available from Debian | ||
|
Description
David Walser
2019-03-08 21:18:58 CET
David Walser
2019-03-08 21:19:07 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2019-03-09 02:25:06 CET
Assignee:
bugsquad =>
geiger.david68210
David Walser
2019-03-09 17:34:05 CET
Status comment:
(none) =>
Patch available from Debian Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated mumble package fixes security vulnerability: It was discovered that insufficient restrictions in the connection handling of Mumble, a low latency encrypted VoIP client, could result in denial of service (CVE-2018-20743). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20743 https://security-tracker.debian.org/tracker/CVE-2018-20743 https://www.debian.org/security/2019/dsa-4402 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.19-1.1.mga6 mumble-1.2.19-plugins-1.1.mga6 mumble-1.2.19-protocol-kde4-1.1.mga6 mumble-1.2.19-protocol-plasma5-1.1.mga6 mumble-1.2.19-server-1.1.mga6 mumble-1.2.19-server-web-1.1.mga6 from mumble-1.2.19-1.1.mga6.src.rpm Testing procedure https://bugs.mageia.org/show_bug.cgi?id=6511#c29 Whiteboard:
MGA6TOO =>
(none) I installed mumble, tested the configuration workflow with pavucontrol, created a certificate automatically, and connected to an external server. I got confirmation that I was heard. Everything looks fine. Not tested mumble-server yet. Ulrich Installed Packages mumble.x86_64 1.2.19-1.1.mga6 @updates_testing-x86_64 mumble-plugins.x86_64 1.2.19-1.1.mga6 @updates_testing-x86_64 mumble-server.x86_64 1.2.19-1.1.mga6 @updates_testing-x86_64 Available Packages mumble-protocol-kde4.x86_64 1.2.19-1.1.mga6 updates_testing-x86_64 mumble-protocol-plasma5.x86_64 1.2.19-1.1.mga6 updates_testing-x86_64 mumble-server-web.x86_64 1.2.19-1.1.mga6 updates_testing-x86_64 CC:
(none) =>
bequimao.de Testing mumble server after reboot: [root@mga6-clone ~]# systemctl list-units | grep mumble session-c1.scope loaded active abandoned Session c1 of user mumble-server mumble-server.service loaded active exited LSB: Mumble VoIP Server user-973.slice loaded active active User Slice of mumble-server Just added localhost (127.0.0.1) to the server-list and connected to it. You'll get a voice message when connecting or disconnecting. Everything works fine. Nothing to configure in config files. The testing procedure seems outdated. Best regards Ulrich Whiteboard:
(none) =>
MGA6-64-OK Advisory committed to svn. Validating based on comment 3. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0145.html Resolution:
(none) =>
FIXED |