Bug 14175 - not-yet-commons-ssl new security issue CVE-2014-3604
Summary: not-yet-commons-ssl new security issue CVE-2014-3604
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/613190/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-25 21:20 CEST by David Walser
Modified: 2014-12-26 18:05 CET (History)
4 users (show)

See Also:
Source RPM: not-yet-commons-ssl-0.3.11-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-09-25 21:20:19 CEST 
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-25 21:20:25 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:07:20 CET 
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:53:08 CET 
Still gone from Cauldron for now (thankfully).

In Mageia 4 SVN it's updated to 0.3.15 to fix this and synced with Fedora 20.
Comment 3 David Walser 2014-12-24 23:43:35 CET 
Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated not-yet-commons-ssl packages fixes security vulnerability:

It was discovered that the implementation used by the Not Yet Commons SSL
project to check that the server hostname matches the domain name in the
subject's CN field was flawed. This can be exploited by a Man-in-the-middle
(MITM) attack, where the attacker can spoof a valid certificate using a
specially crafted subject (CVE-2014-3604).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3604
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138550.html
========================

Updated package in core/updates_testing:
========================
not-yet-commons-ssl-0.3.15-1.mga4
not-yet-commons-ssl-javadoc-0.3.15-1.mga4

from not-yet-commons-ssl-0.3.15-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 olivier charles 2014-12-25 21:54:32 CET 
Testing on Mageia 4x32 real hardware.

First installed current packages :
not-yet-commons-ssl-0.3.11-4.mga4
not-yet-commons-ssl-javadoc-0.3.11-4.mga4

Then updated to testing packages :
not-yet-commons-ssl-0.3.15-1.mga4
not-yet-commons-ssl-javadoc-0.3.15-1.mga4

No problem detected during installation.

CC: (none) => olchal
Whiteboard: (none) => MGA4-32-OK

Comment 5 Herman Viaene 2014-12-26 09:37:00 CET 
MGA4-64 on HP Probook 6555b
No installation issues.

CC: (none) => herman.viaene

claire robinson 2014-12-26 10:42:18 CET

Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2014-12-26 10:48:40 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2014-12-26 18:05:51 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0551.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.