polarssl-1.3.0-1.mga4 has been submitted.

polarssl-1.2.9-1.mga3 has been submitted.

NOTE. polarssl-1.3.0 bumps the major (2 -> 4), which would require at least pdns to be rebuilt for mga3, if one would upgrade to polarssl-1.3.0 that is.

polarssl-1.3.1-1.mga3 has been submitted.

The upstream patches broke the api anyway, preventing pdns to build.

https://github.com/polarssl/polarssl/commit/43f9799ce61c6392a014d0a2ea136b4b3a9ee194
https://github.com/polarssl/polarssl/commit/6b06502c4b19ce40a88faca3528b9f3f0c87a755

This has been fixed in git by pdns upstream. Backporting pdns-3.3.1-1.1.mga4.src.rpm will fix this problem.

To my knowledge only pdns uses polarssl.

pdns-3.3.1-0.1.mga3 has also been submitted.

Thanks Oden!

Advisory:
========================

Updated polarssl packages fix security vulnerability:

The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL
RSA implementation and discovered a bias in the implementation of the Montgomery
multiplication that we used. For which they then show that it can be used to
mount an attack on the RSA key. Although their test attack is done on a local
system, there seems to be enough indication that this can properly be performed
from a remote system as well (CVE-2013-5915).

Also, the pdns package has been updated to work with the updated polarssl.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html
========================

Updated packages in core/updates_testing:
========================
polarssl-1.3.1-1.mga3
libpolarssl5-1.3.1-1.mga3
libpolarssl-devel-1.3.1-1.mga3
pdns-3.3.1-0.1.mga3
pdns-backend-pipe-3.3.1-0.1.mga3
pdns-backend-mysql-3.3.1-0.1.mga3
pdns-backend-pgsql-3.3.1-0.1.mga3
pdns-backend-ldap-3.3.1-0.1.mga3
pdns-backend-sqlite-3.3.1-0.1.mga3
pdns-backend-geo-3.3.1-0.1.mga3

from SRPMS:
polarssl-1.3.1-1.mga3.src.rpm
pdns-3.3.1-0.1.mga3.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

Looks like the ragel package that Oden built is required by this pdns update, so adding that to the packages list.

Advisory:
========================

Updated polarssl packages fix security vulnerability:

The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL
RSA implementation and discovered a bias in the implementation of the Montgomery
multiplication that we used. For which they then show that it can be used to
mount an attack on the RSA key. Although their test attack is done on a local
system, there seems to be enough indication that this can properly be performed
from a remote system as well (CVE-2013-5915).

Also, the pdns package has been updated to work with the updated polarssl.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html
========================

Updated packages in core/updates_testing:
========================
polarssl-1.3.1-1.mga3
libpolarssl5-1.3.1-1.mga3
libpolarssl-devel-1.3.1-1.mga3
pdns-3.3.1-0.1.mga3
pdns-backend-pipe-3.3.1-0.1.mga3
pdns-backend-mysql-3.3.1-0.1.mga3
pdns-backend-pgsql-3.3.1-0.1.mga3
pdns-backend-ldap-3.3.1-0.1.mga3
pdns-backend-sqlite-3.3.1-0.1.mga3
pdns-backend-geo-3.3.1-0.1.mga3
ragel-6.8-1.mga3

from SRPMS:
polarssl-1.3.1-1.mga3.src.rpm
pdns-3.3.1-0.1.mga3.src.rpm
ragel-6.8-1.mga3.src.rpm

Testing complete mga3 32

Testing with polarssl-selftest that all tests pass. The last few took some time to complete but all passed.

Configured /etc/powerdns/pdns.conf to listen on port 2000 so it wouldn't conflict with anything else and started the service, sent it a 'dig'

# dig www.example.com A @127.0.0.1 -p 2000

; <<>> DiG 9.9.3-P2 <<>> www.example.com A @127.0.0.1 -p 2000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13964
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;www.example.com.               IN      A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#2000(127.0.0.1)
;; WHEN: Wed Nov 27 15:59:22 GMT 2013
;; MSG SIZE  rcvd: 44

Whiteboard: (none) => has_procedure mga3-32-ok

One noteworthy issue, adding feedback for now, when installing pdns..

Failed to issue method call: Unit powerdns.service failed to load: No such file or directory. See system logs and 'systemctl status powerdns.service' for details.
warning: %post(pdns-3.3.1-0.1.mga3.x86_64) scriptlet failed, exit status 6
ERROR: 'script' failed for pdns-3.3.1-0.1.mga3.x86_64: 


It seems to be looking for powerdns.service when IINM it should look for pdns.service


# ls /lib/systemd/system/ | grep dns
dnsmasq.service
pdns.service

Whiteboard: has_procedure mga3-32-ok => has_procedure feedback

Indeed, and I imagine it's the same in Cauldron.

%post
%_tmpfilescreate %{name}
%_post_service powerdns

%preun
%_preun_service powerdns

Should be:

%post
%_tmpfilescreate %{name}
%_post_service %{name}

%preun
%_preun_service %{name}

fixed with pdns-3.3.1-1.mga3 & pdns-3.3.1-2.mga4.

Thanks Oden.

Whiteboard: has_procedure feedback => has_procedure

Testing complete mga3 32

mga3 64 above :\

Whiteboard: has_procedure => has_procedure mga3-64-ok

(In reply to claire robinson from comment #13)
> mga3 64 above :\

Huh?

Testing complete mga3 32 (really 32 this time)

Validating


Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2013-0353.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED