Fedora has issued an advisory on November 11: https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122274.html The issue was fixed upstream in 0.8.9, and RedHat has linked the upstream patch. Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated bip package fixes security vulnerability: bip 0.8.8 and earlier contains an issue where failed SSL handshakes result in a resource leak. A remote attacker can use this flaw to cause bip to run out of resources, resulting in a denial of service (CVE-2013-4550). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122274.html ======================== Updated packages in core/updates_testing: ======================== bip-0.8.8-5.3.mga2 bip-0.8.8-11.1.mga3 from SRPMS: bip-0.8.8-5.3.mga2.src.rpm bip-0.8.8-11.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
URL: (none) => http://lwn.net/Vulnerabilities/574573/
https://wiki.mageia.org/en/QA_procedure:Bip
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory
Created attachment 4516 [details] bip.conf This is the bip.conf I'm using to test with. The login/password is mrsb/password on port 7778 and it'll join #mageia-qa as MrsBip2 so you might want to change those settings :)
When connecting to bip, for the server itself use the computer running bip and port 7778, then for the server password enter it as user:password:network In the attached conf mine would be mrsb:password:freenode
Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga3-64-ok
Testing complete mga2 64 and mga3 32
Whiteboard: MGA2TOO has_procedure advisory mga3-64-ok => MGA2TOO has_procedure advisory mga2-64-ok mga3-32-ok mga3-64-ok
Testing complete mga2 32 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure advisory mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0351.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
A second CVE was issued for another issue that was fixed with the same patch that fixed this issue. CVE-2011-5268 was also fixed here: http://openwall.com/lists/oss-security/2014/01/02/9