Debian has issued an advisory on June 21: https://www.debian.org/security/2014/dsa-2964 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated iodine packages fix security vulnerability: Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw (CVE-2014-4168). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4168 https://www.debian.org/security/2014/dsa-2964 ======================== Updated packages in core/updates_testing: ======================== iodine-server-0.6.0-0.rc1.3.mga3 iodine-client-0.6.0-0.rc1.3.mga3 iodine-server-0.6.0-0.rc1.4.mga4 iodine-client-0.6.0-0.rc1.4.mga4 from SRPMS: iodine-0.6.0-0.rc1.3.mga3.src.rpm iodine-0.6.0-0.rc1.4.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Some testing info here: http://code.kryo.se/iodine/README.html
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga4 32 & 64 Followed the Quickstart at the link above. Installed iodine-server on one and iodine-client on the other. On the server with IP 192.168.1.3 # iodined -f 10.0.0.1 test.com Enter password: Opened dns0 Setting IP of dns0 to 10.0.0.1 Setting MTU of dns0 to 1130 Opened UDP socket Listening to dns for domain test.com Then on the client # iodine -f -r 192.168.1.3 test.com Enter password: Opened dns0 Opened UDP socket Sending DNS queries for test.com to 192.168.1.3 Autodetecting DNS query type (use -T to override). Using DNS type NULL queries Version ok, both using protocol v 0x00000502. You are user #0 Setting IP of dns0 to 10.0.0.2 Setting MTU of dns0 to 1130 Server tunnel IP is 10.0.0.1 Skipping raw mode Using EDNS0 extension Switching upstream to codec Base128 Server switched upstream to codec Base128 No alternative downstream codec available, using default (Raw) Switching to lazy mode for low-latency Server switched to lazy mode Autoprobing max downstream fragment size... (skip with -m fragsize) 768 ok.. 1152 ok.. ...1344 not ok.. ...1248 not ok.. ...1200 not ok.. 1176 ok.. 1188 ok.. will use 1188-2=1186 Setting downstream fragment size to max 1186... Connection setup complete, transmitting data. Set similar settings in /etc/sysconfig/iodine-server on the server and started the iodine-server service. did the same in /etc/sysconfig/iodine-client on the client and started the iodine-clinet service. Checked /var/log/iodine-client.log for errors on the client and iodine-server.log on the server. Repeated with server and client reversed. pings to 10.0.0.1 or 10.0.0.2 fail, but there may be some other routing to do first. Ubuntu uses a client script to properly configure things by the looks of it.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0277.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED