| Summary: | trojita new security issue CVE-2020-15047 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, mageia, matteo.pasotti, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | trojita-0.7-5.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
screenshot of rpmdrake NOT showing new trojita package.
Trojita about dialog showing encryption/signing is disabled. |
||
|
Description
David Walser
2020-06-25 18:29:27 CEST
David Walser
2020-06-25 18:29:45 CEST
Whiteboard:
(none) =>
MGA7TOO Assigning to DavidG who has done most recent commmits; CC'ing Matteo (reg mtr) for info. Assignee:
bugsquad =>
geiger.david68210 Fixed on Cauldron!
David Walser
2020-06-26 14:49:07 CEST
Version:
Cauldron =>
7
David Walser
2020-12-28 18:36:58 CET
Status comment:
(none) =>
Patch available from upstream Like for Cauldron I updated trojita for mga7! - trojita-0.7-5.git20200625.1.mga7 Advisory: ======================== Updated trojita package fixes security vulnerability: Damian Poddebniak discovered a TLS verification failure in Trojitá. When sending e-mails over SMTP, all TLS errors were ignored (CVE-2020-15047). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15047 https://www.openwall.com/lists/oss-security/2020/06/25/1 https://gerrit.vesnicky.cesnet.cz/r/#/c/1035/ ======================== Updated packages in core/updates_testing: ======================== trojita-0.7-5.git20200625.1.mga7 from trojita-0.7-5.git20200625.1.mga7.src.rpm CC:
(none) =>
geiger.david68210 There is a strange issue with this update package. I have trojita installed. $ rpm -q trojita trojita-0.7-5.mga7 I have the testing repositories enabled and can find the newer package in the testing repositories. $ urpmf -f -m --name trojita Core Release:trojita-0.7-5.mga7.x86_64 Core Updates Testing:trojita-0.7-5.git20200625.1.mga7.x86_64 Core 32bit Release:trojita-0.7-5.mga7.i586 Core 32bit Updates Testing:trojita-0.7-5.git20200625.1.mga7.i586 But running an update does NOT show the new trojita package anywhere. $ urpmi --auto-update --auto --test | grep -i trojita $ ### No reference to package trojita!!!!!!! I also tried rpmdrake but it does NOT show the new trojita package either. (See attached screenshot.) I tried forcing a full update of the local urpmi data but that didn't change the situation. $ urpmi.update -a -ff It is the first time I see such a situation. Is this due to something wrong the the new package? Or maybe with the mirror? System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. CC:
(none) =>
mageia Created attachment 12189 [details]
screenshot of rpmdrake NOT showing new trojita package.
Confirmed. I installed trojita-0.7-5.mga7.x86_64 and its dependency. Then I used QA Repo to find and download trojita-0.7-5.git20200625.1.mga7, but for some reason it is not being recognized by Mageia Update as an update to the installed package. A package-naming issue, perhaps? CC:
(none) =>
andrewsfarm Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's what it's trying to compare in the release tag. Keywords:
(none) =>
feedback Should be good now in trojita-0.7-6.git20200625.1.mga7. Keywords:
feedback =>
(none) urpmi seem the update package and installs the package correctly.
Tested by connecting to a IMAP account in dovecot IMAP server. The account has lots of hundreds of folders with many thousands of email in those folders. Usual features seem to work correctly.
There is a possible issue. It seems the message signing/encryption/decryption is disabled (see attached screen shot).
Is it a build issue?
Or maybe a configuration issue?
Should I make a separate bug report for this?
System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.
$ uname -a
Linux marte 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ LANGUAGE=C urpmi --auto-update --test | grep trojita
trojita 0.7 6.git2020062> x86_64
$ rpm -q trojita
trojita-0.7-5.mga7
$ LANGUAGE=C urpmi trojita
installing trojita-0.7-6.git20200625.1.mga7.x86_64.rpm from /var/cache/urpmi/rpms
Preparing... #################################
1/1: trojita #################################
1/1: removing trojita-0.7-5.mga7.x86_64
#################################
$ rpm -q trojita
trojita-0.7-6.git20200625.1.mga7
Created attachment 12310 [details]
Trojita about dialog showing encryption/signing is disabled.
This update has been working without issues for over a week and since this is a security update I'm given it an OK for x86_64. Will create a new bug for the signing/encryption/decryption is disabled issue. Whiteboard:
(none) =>
MGA7-64-OK (In reply to David Walser from comment #8) > Yeah the 5 might need to be bumped to a 6. Perhaps git < mga7 and that's > what it's trying to compare in the release tag. it's because -5.git* < -5.mga* as in "g" < "m" that's why updating -1.mga7 -> 1.mga8 works without release bump too... rpm compares all of rel
Dave Hodgins
2021-02-15 09:52:57 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0082.html Resolution:
(none) =>
FIXED |