Fedora has issued an advisory on October 4: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html The issue is fixed upstream in 1.2.9: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
polarssl-1.3.0-1.mga4 has been submitted.
polarssl-1.2.9-1.mga3 has been submitted. NOTE. polarssl-1.3.0 bumps the major (2 -> 4), which would require at least pdns to be rebuilt for mga3, if one would upgrade to polarssl-1.3.0 that is.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
polarssl-1.3.1-1.mga3 has been submitted. The upstream patches broke the api anyway, preventing pdns to build. https://github.com/polarssl/polarssl/commit/43f9799ce61c6392a014d0a2ea136b4b3a9ee194 https://github.com/polarssl/polarssl/commit/6b06502c4b19ce40a88faca3528b9f3f0c87a755 This has been fixed in git by pdns upstream. Backporting pdns-3.3.1-1.1.mga4.src.rpm will fix this problem. To my knowledge only pdns uses polarssl.
pdns-3.3.1-0.1.mga3 has also been submitted.
Thanks Oden! Advisory: ======================== Updated polarssl packages fix security vulnerability: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key. Although their test attack is done on a local system, there seems to be enough indication that this can properly be performed from a remote system as well (CVE-2013-5915). Also, the pdns package has been updated to work with the updated polarssl. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.1-1.mga3 libpolarssl5-1.3.1-1.mga3 libpolarssl-devel-1.3.1-1.mga3 pdns-3.3.1-0.1.mga3 pdns-backend-pipe-3.3.1-0.1.mga3 pdns-backend-mysql-3.3.1-0.1.mga3 pdns-backend-pgsql-3.3.1-0.1.mga3 pdns-backend-ldap-3.3.1-0.1.mga3 pdns-backend-sqlite-3.3.1-0.1.mga3 pdns-backend-geo-3.3.1-0.1.mga3 from SRPMS: polarssl-1.3.1-1.mga3.src.rpm pdns-3.3.1-0.1.mga3.src.rpm
CC: (none) => oeAssignee: oe => qa-bugs
Looks like the ragel package that Oden built is required by this pdns update, so adding that to the packages list. Advisory: ======================== Updated polarssl packages fix security vulnerability: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key. Although their test attack is done on a local system, there seems to be enough indication that this can properly be performed from a remote system as well (CVE-2013-5915). Also, the pdns package has been updated to work with the updated polarssl. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.1-1.mga3 libpolarssl5-1.3.1-1.mga3 libpolarssl-devel-1.3.1-1.mga3 pdns-3.3.1-0.1.mga3 pdns-backend-pipe-3.3.1-0.1.mga3 pdns-backend-mysql-3.3.1-0.1.mga3 pdns-backend-pgsql-3.3.1-0.1.mga3 pdns-backend-ldap-3.3.1-0.1.mga3 pdns-backend-sqlite-3.3.1-0.1.mga3 pdns-backend-geo-3.3.1-0.1.mga3 ragel-6.8-1.mga3 from SRPMS: polarssl-1.3.1-1.mga3.src.rpm pdns-3.3.1-0.1.mga3.src.rpm ragel-6.8-1.mga3.src.rpm
Testing complete mga3 32 Testing with polarssl-selftest that all tests pass. The last few took some time to complete but all passed. Configured /etc/powerdns/pdns.conf to listen on port 2000 so it wouldn't conflict with anything else and started the service, sent it a 'dig' # dig www.example.com A @127.0.0.1 -p 2000 ; <<>> DiG 9.9.3-P2 <<>> www.example.com A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13964 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;www.example.com. IN A ;; Query time: 2 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Wed Nov 27 15:59:22 GMT 2013 ;; MSG SIZE rcvd: 44
Whiteboard: (none) => has_procedure mga3-32-ok
One noteworthy issue, adding feedback for now, when installing pdns.. Failed to issue method call: Unit powerdns.service failed to load: No such file or directory. See system logs and 'systemctl status powerdns.service' for details. warning: %post(pdns-3.3.1-0.1.mga3.x86_64) scriptlet failed, exit status 6 ERROR: 'script' failed for pdns-3.3.1-0.1.mga3.x86_64: It seems to be looking for powerdns.service when IINM it should look for pdns.service # ls /lib/systemd/system/ | grep dns dnsmasq.service pdns.service
Whiteboard: has_procedure mga3-32-ok => has_procedure feedback
Indeed, and I imagine it's the same in Cauldron. %post %_tmpfilescreate %{name} %_post_service powerdns %preun %_preun_service powerdns Should be: %post %_tmpfilescreate %{name} %_post_service %{name} %preun %_preun_service %{name}
fixed with pdns-3.3.1-1.mga3 & pdns-3.3.1-2.mga4.
Thanks Oden.
Whiteboard: has_procedure feedback => has_procedure
Testing complete mga3 32
mga3 64 above :\
Whiteboard: has_procedure => has_procedure mga3-64-ok
(In reply to claire robinson from comment #13) > mga3 64 above :\ Huh?
Whiteboard: has_procedure mga3-64-ok => has_procedure advisory mga3-64-ok
Testing complete mga3 32 (really 32 this time) Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0353.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED