Bug 26713

Summary: networkmanager new security issue CVE-2020-10754
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, jani.valimaa, olav, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: networkmanager-1.18.6-1.2.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 26673    

Description David Walser 2020-06-01 21:34:47 CEST 
Fedora has issued an advisory today (June 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SI4LWYUPI7M6B24ABADK24T77VF65B4A/

The issue is fixed upstream in 1.18.8.
David Walser 2020-06-01 21:35:12 CEST

Status comment: (none) => Fixed upstream in 1.18.8

Comment 1 Lewis Smith 2020-06-02 21:16:12 CEST 
Assigning to wally as registered maintainer, CC'ing Olav who also does it.

CC: (none) => olav
Assignee: bugsquad => jani.valimaa

Comment 2 Jani Välimaa 2020-06-05 21:04:27 CEST 
Pushed networkmanager-1.18.8-1.mga7 to core/updates_testing.

It also includes fixes for bug 26673.
David Walser 2020-06-06 18:08:49 CEST

Blocks: (none) => 26673

Comment 3 David Walser 2020-06-06 18:19:29 CEST 
type: security
subject: Updated networkmanager packages fix security vulnerability
CVE:
 - CVE-2020-10754
src:
  7:
   core:
     - networkmanager-1.18.8-1.mga7
     - networkmanager-applet-1.8.24-1.mga7
     - gnome-control-center-3.32.1-2.2.mga7
     - gnome-shell-3.32.1-2.1.mga7
description: |
  It was found that nmcli, a command line interface to NetworkManager did
  not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when
  creating a new profile. When a user connects to a network using this
  profile, the authentication does not happen and the connection is made
  insecurely (CVE-2020-10754).

  The networkmanager package has been updated to version 1.18.8, fixing
  this issue and other bugs.

  Also, the networkmanager-applet package has been updated to version
  1.8.24. It also adds support for connecting to WPA3 / SAE protected
  wireless networks.

  gnome-control-center and gnome-shell have been fixed to correctly
  identify the connections as WPA3.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=26673
 - https://bugs.mageia.org/show_bug.cgi?id=26713
 - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/nm-1-18/NEWS
 - https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/1.8.24/NEWS
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SI4LWYUPI7M6B24ABADK24T77VF65B4A/

Status comment: Fixed upstream in 1.18.8 => (none)
Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Comment 4 David Walser 2020-06-06 18:21:21 CEST 
The networkmanager-applet, gnome-control-center, and gnome-shell stuff were already tested and OK'd in Bug 26673.

For the networkmanager package itself, the full set of RPMs is:
networkmanager-1.18.8-1.mga7
networkmanager-adsl-1.18.8-1.mga7
networkmanager-bluetooth-1.18.8-1.mga7
networkmanager-team-1.18.8-1.mga7
networkmanager-wifi-1.18.8-1.mga7
networkmanager-wwan-1.18.8-1.mga7
networkmanager-ppp-1.18.8-1.mga7
networkmanager-tui-1.18.8-1.mga7
libnm0-1.18.8-1.mga7
libnm-devel-1.18.8-1.mga7
libnm-util2-1.18.8-1.mga7
libnm-gir1.0-1.18.8-1.mga7
libnetworkmanager-gir1.0-1.18.8-1.mga7
libnm-util-devel-1.18.8-1.mga7
libnm-glib4-1.18.8-1.mga7
libnmclient-gir1.0-1.18.8-1.mga7
libnm-glib-devel-1.18.8-1.mga7
libnm-glib-vpn1-1.18.8-1.mga7
libnm-glib-vpn-devel-1.18.8-1.mga7
Comment 5 Brian Rockwell 2020-06-08 03:31:53 CEST 
laptop a6 - wifi

Jun 07 20:17:21 localhost drakrpm[17767]: transaction on / (remove=0, install=0, upgrade=50)
Jun 07 20:17:25 localhost [RPM][17767]: install lib64nm-util2-1.18.8-1.mga7.x86_64: success
Jun 07 20:17:26 localhost [RPM][17767]: install lib64nm-glib-vpn1-1.18.8-1.mga7.x86_64: success
Jun 07 20:17:26 localhost [RPM][17767]: install tpm2-tss-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:27 localhost [RPM][17767]: install lib64tss2-mu0-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:28 localhost [RPM][17767]: install libmbim-utils-1.18.2-1.mga7.x86_64: success
Jun 07 20:17:29 localhost [RPM][17767]: install lib64mbim-glib4-1.18.2-1.mga7.x86_64: success
Jun 07 20:17:29 localhost [RPM][17767]: install mobile-broadband-provider-info-1:1.20190116-1.mga7.noarch: success
Jun 07 20:17:29 localhost [RPM][17767]: install lib64nma0-1.8.24-1.mga7.x86_64: success
Jun 07 20:17:30 localhost [RPM][17767]: install lib64unbound8-1.10.1-1.mga7.x86_64: success
Jun 07 20:17:31 localhost [RPM][17767]: install vpnc-0.5.3-14.mga7.x86_64: success
Jun 07 20:17:34 localhost [RPM][17767]: install unbound-1.10.1-1.mga7.x86_64: success
Jun 07 20:17:34 localhost [RPM][17767]: install lib64qmi-glib5-1.22.2-1.mga7.x86_64: success
Jun 07 20:17:35 localhost [RPM][17767]: install libqmi-utils-1.22.2-1.mga7.x86_64: success
Jun 07 20:17:35 localhost [RPM][17767]: install lib64tss2-sys0-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:36 localhost [RPM][17767]: install lib64tss2-tcti-device0-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:36 localhost [RPM][17767]: install lib64tss2-tcti-mssim0-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:37 localhost [RPM][17767]: install lib64tss2-esys0-2.2.2-1.1.mga7.x86_64: success
Jun 07 20:17:37 localhost [RPM][17767]: install lib64nm-glib4-1.18.8-1.mga7.x86_64: success
Jun 07 20:17:38 localhost [RPM][17767]: install lib64nm-gtk0-1.8.24-1.mga7.x86_64: success
Jun 07 20:17:40 localhost [RPM][17767]: install luit-1.1.1-10.mga7.x86_64: success
Jun 07 20:17:41 localhost [RPM][17767]: install xterm-344-1.mga7.x86_64: success
Jun 07 20:17:41 localhost [RPM][17767]: install lib64mm-glib0-1.10.0-1.mga7.x86_64: success
Jun 07 20:17:42 localhost [RPM][17767]: install lib64tspi1-0.3.14-4.1.mga7.x86_64: success
Jun 07 20:17:43 localhost [RPM][17767]: install lib64openconnect5-8.10-1.mga7.x86_64: success
Jun 07 20:17:44 localhost [RPM][17767]: install openconnect-8.10-1.mga7.x86_64: success
Jun 07 20:17:45 localhost [RPM][17767]: install networkmanager-openconnect-1.2.4-4.mga7.x86_64: success
Jun 07 20:17:46 localhost [RPM][17767]: install lib64expect5.45.4-1:5.45.4-3.mga7.x86_64: success
Jun 07 20:17:47 localhost [RPM][17767]: install expect-1:5.45.4-3.mga7.x86_64: success
Jun 07 20:17:48 localhost [RPM][17767]: install perl-IPC-Signal-1.0.0-13.mga7.noarch: success
Jun 07 20:17:48 localhost [RPM][17767]: install perl-Proc-WaitStat-1.0.0-14.mga7.noarch: success
Jun 07 20:17:48 localhost [RPM][17767]: install perl-Authen-PAM-0.160.0-22.mga7.x86_64: success
Jun 07 20:17:49 localhost [RPM][17767]: install lib64ndp0-1.6-3.mga7.x86_64: success

---

rebooted

Network tools I use are still functional and the system is connecting.

CC: (none) => brtians1

David Walser 2020-06-08 03:37:38 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-06-08 04:08:29 CEST 
Installed and set up network manager on a 64-bit Plasma install with both wired and wifi connections. Was able to switch back and forth with no problems.

Using qarepo, I updated the packages from this bug, plus the additional packages from Bugs 26673 and 26674. All packages updated cleanly. Rebooted to make sure the new network manager was being used, and once again connections were stable and I was able to switch back and forth.

Looks OK here. Validating. Advisory information in Comment 3 and, I guess, Comment 4.
Thomas Andrews 2020-06-08 04:08:52 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2020-06-15 09:55:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0260.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2020-12-15 17:03:54 CET 
*** Bug 27829 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu