Bug 28450

Summary: mumble new security issue CVE-2021-27229
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, bequimao.de, geiger.david68210, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Source RPM: mumble-1.3.3-4.mga8.src.rpm CVE: CVE-2021-27229
Status comment:

Description David Walser 2021-02-26 17:40:21 CET 
Debian-LTS has issued an advisory on February 18:
https://www.debian.org/lts/security/2021/dla-2562

The issue is fixed upstream in 1.3.4.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 17:40:32 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 1.3.4

Comment 1 David GEIGER 2021-02-27 09:06:07 CET 
Done for cauldron, mga7 and mga8!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2021-02-27 09:25:05 CET 
Thanks David; another "no sooner said than done" tour de force.
Changing you from CC to Assignee. It will need an Advisory.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 3 David Walser 2021-02-27 17:15:41 CET 
Package list:
mumble-1.3.4-1.mga7
mumble-protocol-plasma5-1.3.4-1.mga7
mumble-plugins-1.3.4-1.mga7
mumble-server-1.3.4-1.mga7
mumble-server-web-1.3.4-1.mga7
mumble-1.3.4-1.mga8
mumble-plugins-1.3.4-1.mga8
mumble-server-1.3.4-1.mga8
mumble-server-web-1.3.4-1.mga8
mumble-protocol-plasma5-1.3.4-1.mga8

from SRPMS:
mumble-1.3.4-1.mga7.src.rpm
mumble-1.3.4-1.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Fixed upstream in 1.3.4 => (none)
Version: Cauldron => 8

Comment 4 David Walser 2021-03-03 01:35:08 CET 
Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble before 1.3.4 allows remote code execution if a victim navigates to a
crafted URL on a server list and clicks on the Open Webpage text
(CVE-2021-27229).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229
https://www.debian.org/lts/security/2021/dla-2562
Comment 5 Ulrich Beckmann 2021-03-08 20:55:19 CET 
[root@mga8-final ~]# dnf list $(cat mga8_28450.list)
Last metadata expiration check: 3:19:44 ago on Mon 08 Mar 2021 01:30:38 PM -03.
Installed Packages
mumble.x86_64                                                                     1.3.4-1.mga8                                                     @updates_testing-x86_64
mumble-plugins.x86_64                                                             1.3.4-1.mga8                                                     @updates_testing-x86_64
mumble-protocol-plasma5.x86_64                                                    1.3.4-1.mga8                                                     @updates_testing-x86_64
[root@mga8-final ~]#

Installed and upgraded mumble in a fresh Mga8 Installation.
Then I went through the config workflow, connected to a foreign server, and had a small talk. Everything works fine.

Ulrich

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => bequimao.de

Comment 6 Ulrich Beckmann 2021-03-08 21:28:28 CET 
[root@mga7-final ~]# dnf list $(cat mga7_28450.list)
Last metadata expiration check: 0:16:21 ago on Mon 08 Mar 2021 05:08:39 PM -03.
Installed Packages
mumble.x86_64                                                                      1.3.4-1.mga7                                                      @updates_testing-x86_64
mumble-plugins.x86_64                                                              1.3.4-1.mga7                                                      @updates_testing-x86_64
mumble-protocol-plasma5.x86_64                                                     1.3.4-1.mga7                                                      @updates_testing-x86_64
[root@mga7-final ~]#

Here I had mumble previously configured. They heard me, and also heard my dog. No regression found.

Ulrich

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 7 Thomas Andrews 2021-03-09 13:51:10 CET 
Thanks, Ulrich! Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Aurelien Oudelet 2021-03-11 22:36:01 CET 
Advisory committed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-27229

Comment 9 Mageia Robot 2021-03-12 02:27:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0125.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED