Bug 11808 - quassel new security issue CVE-2013-6404
: quassel new security issue CVE-2013-6404
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/575368/
: advisory MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-28 16:44 CET by David Walser
Modified: 2013-12-02 16:46 CET (History)
3 users (show)

See Also:
Source RPM: quassel-0.9.1-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-28 16:44:10 CET
A CVE has been assigned for a security issue fixed in quassel 0.9.2:
http://www.openwall.com/lists/oss-security/2013/11/28/8

Information about the 0.9.2 release:
http://freecode.com/projects/quassel/releases/359566
http://quassel-irc.org/node/123

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-28 16:44:36 CET
Freeze push requested for Cauldron.  Checked into SVN for Mageia 3.
Comment 2 David Walser 2013-11-30 18:18:50 CET
quassel-0.9.2-1.mga4 uploaded for Cauldron.  Mageia 3 update building now.
Comment 3 David Walser 2013-11-30 18:26:53 CET
Advisory:
========================

Updated quassel packages fix security vulnerability:

Security vulnerability in Quassel before 0.9.2 through which a manipulated, but
properly authenticated client was able to retrieve the backlog of other users
on the same core in some cases (CVE-2013-6404).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6404
http://freecode.com/projects/quassel/releases/359566
http://quassel-irc.org/node/123
http://www.openwall.com/lists/oss-security/2013/11/28/8
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.mga3
quassel-common-0.9.2-1.mga3
quassel-client-0.9.2-1.mga3
quassel-core-0.9.2-1.mga3

from quassel-0.9.2-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-11-30 18:34:49 CET
Advisory 11808.adv committed to svn. No poc provided, so just need to test that
the update works.
Comment 5 Dave Hodgins 2013-11-30 20:00:48 CET
Testing complete on Mageia 3 i586 and x86_64. Validating the update.

Someone from the sysadmin team please push 11808.adv to updates.
Comment 6 Thomas Backlund 2013-11-30 22:49:19 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0362.html

Note You need to log in before you can comment on or make changes to this bug.