| Summary: | telepathy-idle new security issue CVE-2007-6746 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/549233/ | ||
| Whiteboard: | has_procedure mga2-64-ok mga2-32-ok | ||
| Source RPM: | telepathy-idle-0.1.11-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-04-30 15:51:36 CEST
telepathy-idle-0.1.15-1.mga3 is uploaded in Cauldron. Fedora has issued an advisory for this: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104397.html URL:
(none) =>
http://lwn.net/Vulnerabilities/549233/ telepathy-idle 0.1.16 was released to fix some regressions and shortcomings (such as not working with self-signed-certs) in 0.1.15: http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html I had to patch it to build with telepathy-glib 0.18.x in Mageia 2, due to a header reorganization in telepathy-glib 0.20.x, but that was pretty easy. I reported this upstream. telepathy-idle 0.1.16 uploaded for Mageia 2 and Cauldron. Addendum to previous note to QA: It sounds like they've added the ability to interactively verify whether or not to allow untrusted certificates. Advisory: ======================== Updated telepathy-idle package fixes security vulnerability: In versions prior to 0.1.15, telepathy-idle does not check the server's SSL/TLS certificate for validity. A network intermediary could use this flaw to carry out man-in-the-middle attacks on IRC users (CVE-2007-6746). The telepathy-idle package has been updated to version to 0.1.16 to fix this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6746 http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html https://bugs.freedesktop.org/show_bug.cgi?id=63810 http://lists.freedesktop.org/archives/telepathy/2012-November/006304.html http://lists.freedesktop.org/archives/telepathy/2012-November/006303.html http://lists.freedesktop.org/archives/telepathy/2012-August/006220.html ======================== Updated packages in core/updates_testing: ======================== telepathy-idle-0.1.16-1.mga2 from telepathy-idle-0.1.16-1.mga2.src.rpm Testing complete mga2 64 Now gives certificate warning for self-signed connections. Whiteboard:
(none) =>
mga2-64-ok
claire robinson
2013-05-08 11:24:10 CEST
Whiteboard:
mga2-64-ok =>
has_procedure mga2-64-ok
David Walser
2013-05-09 17:57:41 CEST
Severity:
normal =>
major Testing complete mga2 32 Validating Advisory & srpm in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0144 Status:
NEW =>
RESOLVED |