Fedora has issued an advisory on January 27:
The issue is fixed upstream in 2.2.1.
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
A flaw in Tntnet allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests.
This update fixes the vulnerability.
Updated packages in mga3+mga4 core/updates_testing and cauldron core/release.
Just making some formatting changes.
Updated tntnet packages fix security vulnerability:
A flaw in Tntnet before 2.2.1 allows remote attackers to obtain sensitive
information via a header that ends in \n instead of \r\n, which prevents a
null terminator from being added and causes Tntnet to include headers from
other requests (CVE-2013-7299).
Updated packages in core/updates_testing:
MGA4TOO, MGA3TOO =>
Procedure: Follow "How to create your first web application" from
To create a web application it is necessary to create some initial project files. This is achieved by executing tntnet-config:
a directory "myfirstproject"
a source file "myfirstproject.ecpp" containing your application
a configurationfile "tntnet.xml"
To build and execute your first enter the following commands:
Now you can start your web browser and navigate to http://localhost:8000/myfirstproject.
You can see the result of your first running tntnet application, which prints the name of the application.
Testing mga3 64
The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you confirm this is correct Anssi please?
$ urpmf tntnet-config
MGA3TOO has_procedure feedback
It is debatable, but I think it is OK.
IIRC Tntnet web applications are C++ software compiled against Tntnet, so you need the -devel package to build them.
Debian and Fedora also have tntnet-config in -devel.
MGA3TOO has_procedure feedback =>
Testing complete mga3 32 & 64
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok
MGA3TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory
tntnet requires libcxxtools (bug 12691) so both can be tested together.
(In reply to claire robinson from comment #4)
> Testing mga3 64
> The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you
> confirm this is correct Anssi please?
> $ urpmf tntnet-config
And a require/suggest for gcc-c++
g++ -I/usr/include -fPIC -O2 -c -o myfirstproject.o myfirstproject.cpp
make: g++: commande introuvable
MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK advisory
Tested Mga3 32-bit, worked as expected before and after update.
So that seems to complete testing for this one.
See comment 2 for advisory and SRPM.
Could sysadmin please push from core/updates_testing to core/updates.
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK advisory =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK mga4-32-ok advisory
(In reply to Carolyn Rowse from comment #10)
> See comment 2 for advisory and SRPM.
Actually the advisory was already uploaded to SVN.