Bug 14040 - smack new security issues CVE-2014-5075 and CVE-2014-0363
Summary: smack new security issues CVE-2014-5075 and CVE-2014-0363
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/610410/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-02 20:47 CEST by David Walser
Modified: 2014-12-26 18:05 CET (History)
3 users (show)

See Also:
Source RPM: smack-3.2.2-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-02 20:47:33 CEST
Fedora has issued an advisory on August 23:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html

Mageia 4 is also affected.

They fixed it in this commit:
http://pkgs.fedoraproject.org/cgit/smack.git/commit/?id=b16cc9479639845fcc6511762dd4b2768fc4584c

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-02 20:47:41 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Sander Lepik 2014-11-29 15:54:46 CET
Dropped from cauldron.

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-15 20:13:43 CET
Fedora has issued an advisory on December 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html

This fixes an additional security issue, from this commit:
http://pkgs.fedoraproject.org/cgit/smack.git/commit/?id=48915f05037f5c246878f9b6a6fab78bfcd6c86f

Summary: smack new security issue CVE-2014-5075 => smack new security issues CVE-2014-5075 and CVE-2014-0363

Comment 3 David Walser 2014-12-15 21:12:46 CET
LWN reference for CVE-2014-0363:
http://lwn.net/Vulnerabilities/626432/
Comment 4 David Walser 2014-12-24 22:19:32 CET
Still gone from Cauldron for now (thankfully).

Patches from Fedora added and re-synced with Fedora 20 in Mageia 4 SVN.
Comment 5 David Walser 2014-12-24 23:43:25 CET
Patched package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated smack packages fixes security vulnerability:

The ServerTrustManager component in the Ignite Realtime Smack XMPP API
before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in
X.509 certificate chains from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a crafted
certificate chain (CVE-2014-0363).

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a
custom SSLContext is used, does not verify that the server hostname matches
a domain name in the subject's Common Name (CN) or subjectAltName field of
the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
servers via an arbitrary valid certificate (CVE-2014-5075).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5075
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html
========================

Updated package in core/updates_testing:
========================
smack-3.2.2-4.1.mga4
smack-javadoc-3.2.2-4.1.mga4

from smack-3.2.2-4.1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 6 Herman Viaene 2014-12-26 10:47:31 CET
MGA4-64 on HP Probook 6555b
No installation issues.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 7 Herman Viaene 2014-12-26 10:51:13 CET
MGA4-32 on Acer D620 Xfce.
No installation issues.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2014-12-26 11:08:53 CET
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-12-26 18:05:42 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0548.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.