Bug 11723 - bip new security issue CVE-2013-4550
Summary: bip new security issue CVE-2013-4550
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/574573/
Whiteboard: MGA2TOO has_procedure advisory mga2-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-21 16:40 CET by David Walser
Modified: 2014-01-02 23:42 CET (History)
2 users (show)

See Also:
Source RPM: bip-0.8.8-11.mga3.src.rpm
CVE:
Status comment:

Attachments
bip.conf (4.45 KB, text/x-log)
2013-11-22 12:15 CET, claire robinson 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-21 16:40:13 CET 
Fedora has issued an advisory on November 11:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122274.html

The issue was fixed upstream in 0.8.9, and RedHat has linked the upstream patch.

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated bip package fixes security vulnerability:

bip 0.8.8 and earlier contains an issue where failed SSL handshakes result in a
resource leak. A remote attacker can use this flaw to cause bip to run out of
resources, resulting in a denial of service (CVE-2013-4550).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122274.html
========================

Updated packages in core/updates_testing:
========================
bip-0.8.8-5.3.mga2
bip-0.8.8-11.1.mga3

from SRPMS:
bip-0.8.8-5.3.mga2.src.rpm
bip-0.8.8-11.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-21 16:40:21 CET

Whiteboard: (none) => MGA2TOO

David Walser 2013-11-21 16:42:32 CET

URL: (none) => http://lwn.net/Vulnerabilities/574573/

Comment 1 claire robinson 2013-11-22 11:41:32 CET 
https://wiki.mageia.org/en/QA_procedure:Bip

Whiteboard: MGA2TOO => MGA2TOO has_procedure

claire robinson 2013-11-22 11:49:53 CET

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory

Comment 2 claire robinson 2013-11-22 12:15:36 CET 
Created attachment 4516 [details]
bip.conf

This is the bip.conf I'm using to test with. The login/password is mrsb/password on port 7778 and it'll join #mageia-qa as MrsBip2 so you might want to change those settings :)
Comment 3 claire robinson 2013-11-22 12:21:38 CET 
When connecting to bip, for the server itself use the computer running bip and port 7778, then for the server password enter it as user:password:network

In the attached conf mine would be mrsb:password:freenode
Comment 4 claire robinson 2013-11-22 12:22:00 CET 
Testing complete mga3 64

Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga3-64-ok

Comment 5 claire robinson 2013-11-22 12:41:45 CET 
Testing complete mga2 64 and mga3 32

Whiteboard: MGA2TOO has_procedure advisory mga3-64-ok => MGA2TOO has_procedure advisory mga2-64-ok mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2013-11-22 13:30:47 CET 
Testing complete mga2 32

Validating.


Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
claire robinson 2013-11-22 13:31:04 CET

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure advisory mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-11-22 20:28:52 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0351.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 8 David Walser 2014-01-02 23:42:35 CET 
A second CVE was issued for another issue that was fixed with the same patch that fixed this issue.  CVE-2011-5268 was also fixed here:
http://openwall.com/lists/oss-security/2014/01/02/9
Note You need to log in before you can comment on or make changes to this bug.