| Summary: | networkmanager missing security update for CVE-2011-2176 and CVE-2011-3364 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | networkmanager-0.8.4.0-5.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2011-12-30 23:58:06 CET
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
balcaen.john, cjw, dmorganec, mageia, olav Please test networkmanager from updates_testing Assignee:
bugsquad =>
qa-bugs Networkmanager (with networkmanager-applet) is working for me on x86_64. CC:
balcaen.john, cjw, mageia, olav =>
(none) Testing complete on i586. Before validating the update though, the Mandriva advisory indicates networkmanager-applet, networkmanager-openconnect, networkmanager-openvpn, networkmanager-pptp, networkmanager-vpnc are also provided with their latest 0.8.6.0 stable versions. Will we be including those packages? CC:
(none) =>
davidwhodgins (In reply to comment #4) > Testing complete on i586. > > Before validating the update though, the Mandriva advisory indicates > networkmanager-applet, networkmanager-openconnect, > networkmanager-openvpn, networkmanager-pptp, networkmanager-vpnc > are also provided with their latest 0.8.6.0 stable versions. > > Will we be including those packages? Good catch! Sorry this was missed earlier. D Morgan, could you build these too? all pushed I'm having trouble figuring out how to test the additional packages, so I've posted a request for help in the testing to the general discuss mailing list. PPTP is unsupported IIRC due to missing support in pppd. I think the only VPN we managed to test previously was openvpn. * missing MPPE support I think we should go ahead and push the update, rather than hold it for vpn testing. Opinions? I agree, but it's QA team decision of course. Here's the advisory. Advisory: ======================== Updated networkmanager packages fix security vulnerabilities: GNOME NetworkManager before 0.8.6 does not properly enforce the auth_admin element in PolicyKit, which allows local users to bypass intended wireless network sharing restrictions via unspecified vectors (CVE-2011-2176). Incomplete blacklist vulnerability in the svEscape function in settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when PolicyKit is configured to allow users to create new connections, allows local users to execute arbitrary commands via a newline character in the name for a new network connection, which is not properly handled when writing to the ifcfg file (CVE-2011-3364). This updates NetworkManager to 0.8.6.0 to fix these issues and allow upgrading from Mandriva 2010.2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3364 http://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?h=NM_0_8 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:171 ======================== Updated packages in core/updates_testing: ======================== libnm-glib-devel-0.8.6.0-0.1.mga1 libnm-glib-vpn-devel-0.8.6.0-0.1.mga1 libnm-glib-vpn1-0.8.6.0-0.1.mga1 libnm-glib2-0.8.6.0-0.1.mga1 libnm-util-devel-0.8.6.0-0.1.mga1 libnm-util1-0.8.6.0-0.1.mga1.i586.rpm networkmanager-0.8.6.0-0.1.mga1 networkmanager-applet-0.8.6.0-1.1.mga1 networkmanager-openconnect-0.8.6.0-1.1.mga1 networkmanager-openvpn-0.8.6.0-1.1.mga1 networkmanager-pptp-0.8.6.0-1.mga1 networkmanager-vpnc-0.8.6.0-1.1.mga1 from SRPMS: networkmanager-0.8.6.0-0.1.mga1.src.rpm networkmanager-applet-0.8.6.0-1.1.mga1.src.rpm networkmanager-openconnect-0.8.6.0-1.1.mga1.src.rpm networkmanager-openvpn-0.8.6.0-1.1.mga1.src.rpm networkmanager-pptp-0.8.6.0-1.mga1.src.rpm networkmanager-vpnc-0.8.6.0-1.1.mga1.src.rpm Validating the update. Could someone from the sysadmin team pus the srpms networkmanager-0.8.6.0-0.1.mga1.src.rpm networkmanager-applet-0.8.6.0-1.1.mga1.src.rpm networkmanager-openconnect-0.8.6.0-1.1.mga1.src.rpm networkmanager-openvpn-0.8.6.0-1.1.mga1.src.rpm networkmanager-pptp-0.8.6.0-1.mga1.src.rpm networkmanager-vpnc-0.8.6.0-1.1.mga1.src.rpm from Core Updates Testins to Core Updates. Advisory: This security updated for networkmanager corrects the following security vulnerabilities: GNOME NetworkManager before 0.8.6 does not properly enforce the auth_admin element in PolicyKit, which allows local users to bypass intended wireless network sharing restrictions via unspecified vectors (CVE-2011-2176). Incomplete blacklist vulnerability in the svEscape function in settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when PolicyKit is configured to allow users to create new connections, allows local users to execute arbitrary commands via a newline character in the name for a new network connection, which is not properly handled when writing to the ifcfg file (CVE-2011-3364). This updates NetworkManager to 0.8.6.0 to fix these issues and allow upgrading from Mandriva 2010.2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3364 http://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?h=NM_0_8 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:171 https://bugs.mageia.org/show_bug.cgi?id=3956 Keywords:
(none) =>
validated_update s /updated/update/
David Walser
2012-01-28 12:09:45 CET
Hardware:
i586 =>
All update pushed Status:
NEW =>
RESOLVED |