Fedora has issued an advisory on September 11: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => (none)Version: Cauldron => 4CC: (none) => mageia
Still gone from Cauldron for now (thankfully). In Mageia 4 SVN it's updated to 0.3.15 to fix this and synced with Fedora 20.
Updated package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated not-yet-commons-ssl packages fixes security vulnerability: It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject (CVE-2014-3604). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3604 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html ======================== Updated package in core/updates_testing: ======================== not-yet-commons-ssl-0.3.15-1.mga4 not-yet-commons-ssl-javadoc-0.3.15-1.mga4 from not-yet-commons-ssl-0.3.15-1.mga4.src.rpm
Assignee: dmorganec => qa-bugs
Testing on Mageia 4x32 real hardware. First installed current packages : not-yet-commons-ssl-0.3.11-4.mga4 not-yet-commons-ssl-javadoc-0.3.11-4.mga4 Then updated to testing packages : not-yet-commons-ssl-0.3.15-1.mga4 not-yet-commons-ssl-javadoc-0.3.15-1.mga4 No problem detected during installation.
CC: (none) => olchalWhiteboard: (none) => MGA4-32-OK
MGA4-64 on HP Probook 6555b No installation issues.
CC: (none) => herman.viaene
Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to updates Thanks
Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0551.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED