Fedora has issued an advisory on January 27: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127746.html The issue is fixed upstream in 2.2.1. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Advisory: ============ A flaw in Tntnet allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests. This update fixes the vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299 ============ Updated packages in mga3+mga4 core/updates_testing and cauldron core/release. Source packages: tntnet-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 Binary packages: tntnet-2.1-2.1.mga3 tntnet-demos-2.1-2.1.mga3 lib64tntnet10-2.1-2.1.mga3 lib64tntnet-devel-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 tntnet-demos-2.2-2.1.mga4 lib64tntnet11-2.2-2.1.mga4 lib64tntnet-devel-2.2-2.1.mga4
Keywords: (none) => SecurityStatus: NEW => ASSIGNEDCC: (none) => anssi.hannulaHardware: i586 => AllCVE: (none) => CVE-2013-7299Assignee: anssi.hannula => qa-bugs
Thanks Anssi! Just making some formatting changes. Advisory: ======================== Updated tntnet packages fix security vulnerability: A flaw in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests (CVE-2013-7299). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127746.html ======================== Updated packages in core/updates_testing: ======================== tntnet-2.1-2.1.mga3 tntnet-demos-2.1-2.1.mga3 libtntnet10-2.1-2.1.mga3 libtntnet-devel-2.1-2.1.mga3 tntnet-2.2-2.1.mga4 tntnet-demos-2.2-2.1.mga4 libtntnet11-2.2-2.1.mga4 libtntnet-devel-2.2-2.1.mga4 from SRPMS: tntnet-2.1-2.1.mga3.src.rpm tntnet-2.2-2.1.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: Follow "How to create your first web application" from http://www.tntnet.org/quick-start-guide.html ---------------------- To create a web application it is necessary to create some initial project files. This is achieved by executing tntnet-config: tntnet-config --project=myfirstproject This creates: a directory "myfirstproject" a source file "myfirstproject.ecpp" containing your application a configurationfile "tntnet.xml" a Makefile To build and execute your first enter the following commands: cd myfirstproject make tntnet Now you can start your web browser and navigate to http://localhost:8000/myfirstproject. You can see the result of your first running tntnet application, which prints the name of the application. ----------------------
Testing mga3 64 The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you confirm this is correct Anssi please? $ urpmf tntnet-config lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config lib64tntnet-devel:/usr/bin/tntnet-config lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz
Whiteboard: MGA3TOO => MGA3TOO has_procedure feedback
It is debatable, but I think it is OK. IIRC Tntnet web applications are C++ software compiled against Tntnet, so you need the -devel package to build them. Debian and Fedora also have tntnet-config in -devel.
Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded.
CC: (none) => stormiWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory
tntnet requires libcxxtools (bug 12691) so both can be tested together.
(In reply to claire robinson from comment #4) > Testing mga3 64 > > The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you > confirm this is correct Anssi please? > > $ urpmf tntnet-config > lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config > lib64tntnet-devel:/usr/bin/tntnet-config > lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz And a require/suggest for gcc-c++ g++ -I/usr/include -fPIC -O2 -c -o myfirstproject.o myfirstproject.cpp make: g++: commande introuvable
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK advisory
Tested Mga3 32-bit, worked as expected before and after update. So that seems to complete testing for this one. Update validated. See comment 2 for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you.
Keywords: (none) => validated_updateCC: (none) => isolde, sysadmin-bugsWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK mga4-32-ok advisory
(In reply to Carolyn Rowse from comment #10) > See comment 2 for advisory and SRPM. > Actually the advisory was already uploaded to SVN.
Update pushed: http://advisories.mageia.org/MGASA-2014-0072.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED