A CVE was assigned for a DoS issue fixed in dropbear 2013.59: http://openwall.com/lists/oss-security/2013/10/11/4 Cauldron already has version 2013.59. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated dropbear package fixes security vulnerability: Possible memory exhaustion denial of service due to the size of decompressed payloads in dropbear before 2013.59 (CVE-2013-4421). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421 https://matt.ucc.asn.au/dropbear/CHANGES http://openwall.com/lists/oss-security/2013/10/11/4 ======================== Updated packages in core/updates_testing: ======================== dropbear-2012.55-3.1.mga2 dropbear-2012.55-4.1.mga3 from SRPMS: dropbear-2012.55-3.1.mga2.src.rpm dropbear-2012.55-4.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Testing mga3 64 The new package shows an error when uninstalled. Checked with release package and it's the same. I'll create a new bug for it. # urpmi dropbear installing dropbear-2012.55-4.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ########################## 1/1: dropbear ########################## 1/1: removing dropbear-2012.55-4.mga3.x86_64 ########################## # service sshd stop Redirecting to /bin/systemctl stop sshd.service # netstat -pant | grep :22 # service dropbear start Starting dropbear (via systemctl): [ OK ] # netstat -pant | grep :22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21008/dropbear tcp 0 0 :::22 :::* LISTEN 21008/dropbear $ mv .ssh/known_hosts .ssh/known_hosts.bak $ dbclient localhost Host 'localhost' is not in the trusted hosts file. (fingerprint md5 e0:57:bc:92:f9:c5:95:81:c1:41:41:0f:c2:1d:5c:c1) Do you want to continue connecting? (y/n) y claire@localhost's password: $ exit $ mv .ssh/known_hosts.bak .ssh/known_hosts mv: overwrite â.ssh/known_hostsâ? y # urpme dropbear removing dropbear-2012.55-4.1.mga3.x86_64 removing package dropbear-2012.55-4.1.mga3.x86_64 1/1: removing dropbear-2012.55-4.1.mga3.x86_64 ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory ################# # service sshd start Redirecting to /bin/systemctl start sshd.service
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
Testing complete mga2 32 & 64
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok
Bug 11458 created for the warning
Testing complete mga3 32 Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
I don't think anything can be done about the warning, other than removing the SysV init script from the package (which we'd probably only do in Cauldron I'd imagine). Note that there may be another patch coming for this package soon: http://openwall.com/lists/oss-security/2013/10/12/1
Is it worth waiting for it or should we push as-is and update again when the patch is available.
The patch is already available, just waiting on a CVE to be assigned. Shouldn't be long I wouldn't imagine. I wonder if Kurt has today off because of Columbus Day. So it might be tomorrow. We can wait to push this.
Invalidating previous tests then and removing sysadmins. I'll add feedback marker until it's ready.
Keywords: validated_update => (none)CC: sysadmin-bugs => (none)Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure feedback
CVE-2013-4344 has been allocated for the other issue: http://openwall.com/lists/oss-security/2013/10/16/11 The upstream patch doesn't quite apply to the version we currently have, and re-diffing some of the parts that don't isn't quite obvious because of some changes in the code. Looks like it'll be best to update it to the current version, which is the same thing we ultimately had to do for the last dropbear security update.
(In reply to David Walser from comment #9) > CVE-2013-4344 has been allocated for the other issue: CVE-2013-4434, let me please not make another CVE typo :o)
Whiteboard: MGA2TOO has_procedure feedback => MGA2TOO has_procedure
Updated packages uploaded for Mageia 2 and Mageia 3. Note 2013.60 is not needed for us, as it only fixes build-time errors that don't affect our package. This updates to 2013.59 which fixed these issues. Advisory: ======================== Updated dropbear package fixes security vulnerability: Possible memory exhaustion denial of service due to the size of decompressed payloads in dropbear before 2013.59 (CVE-2013-4421). Inconsistent delays in authorization failures could be used to disclose the existence of valid user accounts in dropbear before 2013.59 (CVE-2013-4434). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4434 https://matt.ucc.asn.au/dropbear/CHANGES ======================== Updated packages in core/updates_testing: ======================== dropbear-2013.59-1.mga2 dropbear-2013.59-1.mga3 from SRPMS: dropbear-2013.59-1.mga2.src.rpm dropbear-2013.59-1.mga3.src.rpm
Summary: dropbear new security issue CVE-2013-4421 => dropbear new security issues CVE-2013-4421 and CVE-2013-4434
Sorry to say but the same problem stays in M3 x86_64. ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory The rest of the test does succeed. Roelof
CC: (none) => rwobben
Thanks. Don't worry about that warning. I've added the MGA3-64-OK marker to the whiteboard for you.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK
Tested in Virtualbox containing M3 32 bit Gnome and found no problems. Roelof
(In reply to roelof Wobben from comment #14) > Tested in Virtualbox containing M3 32 bit Gnome and found no problems. Thanks. Please remember the whiteboard markers.
Whiteboard: MGA2TOO has_procedure MGA3-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK
I did not forget it. I only do not know if a test in virtualbox can lead to a marker. Roelof
(In reply to roelof Wobben from comment #16) > I did not forget it. I only do not know if a test in virtualbox can lead to > a marker. Yes it can, unless it's a package that needs to be tested on real hardware, like kernels and video drivers and virtualbox itself (and a few others).
Thanks for the answers
Testing complete mga2 32
Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure mga2-32-ok MGA3-64-OK MGA3-32-OK
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure mga2-32-ok MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure mga2-32-ok mga2-64-ok MGA3-64-OK MGA3-32-OK
Advisory updated. Re-Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Fedora has issued an advisory for this on October 9: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119323.html
URL: (none) => http://lwn.net/Vulnerabilities/571139/
Update pushed: http://advisories.mageia.org/MGASA-2013-0318.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for CVE-2013-4434: http://lwn.net/Vulnerabilities/571987/