Ubuntu has issued an advisory on August 14: http://www.ubuntu.com/usn/usn-2315-1/ The issue was fixed upstream in 1.3.7, just uploaded in Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated serf packages fix security vulnerability: Ben Reser discovered that serf did not correctly handle SSL certificates with NUL bytes in the CommonName or SubjectAltNames fields. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications (CVE-2014-3504). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504 http://www.ubuntu.com/usn/usn-2315-1/ ======================== Updated packages in core/updates_testing: ======================== libserf0-1.1.1-2.1.mga3 libserf-devel-1.1.1-2.1.mga3 libserf1-1.3.2-2.1.mga4 libserf-devel-1.3.2-2.1.mga4 from SRPMS: serf-1.1.1-2.1.mga3.src.rpm serf-1.3.2-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
The description of *this* thing: "The serf library is a C-based HTTP client library built upon the Apache Portable Runtime (APR) library. It multiplexes connections, running the read/write communication asynchronously. Memory copies and transformations are kept to a minimum to provide high performance operation." Home page http://code.google.com/p/serf/ should not be confused with http://www.serfdom.io/intro/ : "What is Serf? Serf is a tool for cluster membership, failure detection, and orchestration that is decentralized, fault-tolerant and highly available." Beware.
CC: (none) => lewyssmith
I think the bottom line for this one is that nothing uses it in Mageia 3 (so just make sure it installs fine) and subversion uses it in Mageia 4 (so validate this one along with the subversion update).
Testing complete mga4 64 The serf binary is not provided, only the library, so this is really the best testing we can do in this case. $ strace -o ~/strace.out svn up Updating '.': At revision 1880. $ grep serf ~/strace.out open("/usr/lib64/libsvn_ra_serf-1.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libserf-1.so.1", O_RDONLY|O_CLOEXEC) = 3 Shows the library being used.. $ urpmf /usr/lib64/libserf-1.so.1 lib64serf1:/usr/lib64/libserf-1.so.1 lib64serf1:/usr/lib64/libserf-1.so.1.3.0
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32, # urpmq --whatrequires libserf0 libserf-devel libserf0 As the lib is not used by any packages in mga3, just ensuring the update applies cleanly.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0353.html
Status: NEW => RESOLVEDResolution: (none) => FIXED