Bug 11147 - php-pear-Auth_OpenID new security issue CVE-2013-4701
: php-pear-Auth_OpenID new security issue CVE-2013-4701
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565573/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-04 02:26 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
4 users (show)

See Also:
Source RPM: php-pear-Auth_OpenID-2.1.2-5.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-04 02:26:54 CEST
Fedora has issued an advisory on August 24:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html

Fedora has a patch, and a link to the upstream commit to fix it in bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=999687

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-04 10:27:08 CEST
php-pear-Auth_OpenID-2.2.2-1.mga2, php-pear-Auth_OpenID-2.2.2-1.mga3 and php-pear-Auth_OpenID-2.2.2-1.mga4 has been submitted where this is fixed.
Comment 2 David Walser 2013-09-04 16:08:14 CEST
Thanks Oden!

Advisory:
========================

Updated php-pear-Auth_OpenID packages fix security vulnerability:

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote
attackers to read arbitrary files, send HTTP requests to intranet servers, or
cause a denial of service (CPU and memory consumption) via XRDS data containing
an external entity declaration in conjunction with an entity reference, related
to an XML External Entity (XXE) issue (CVE-2013-4701).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4701
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html
========================

Updated packages in core/updates_testing:
========================
php-pear-Auth_OpenID-2.2.2-1.mga2
php-pear-Auth_OpenID-2.2.2-1.mga3

from SRPMS:
php-pear-Auth_OpenID-2.2.2-1.mga2.src.rpm
php-pear-Auth_OpenID-2.2.2-1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-09-06 00:46:26 CEST
As discussed with David Walser on irc, just testing that it installs cleanly.

Advisory 11147.adv committed to svn.

Someone from the sysadmin team please push 11147.adv to updates.
Comment 4 Nicolas Vigier 2013-09-13 22:18:52 CEST
http://advisories.mageia.org/MGASA-2013-0272.html

Note You need to log in before you can comment on or make changes to this bug.