Bug 14384 - quassel new security issue CVE-2014-8483
Summary: quassel new security issue CVE-2014-8483
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/618455/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-27 10:40 CET by David Walser
Modified: 2014-10-29 18:19 CET (History)
2 users (show)

See Also:
Source RPM: quassel-0.9.2-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-27 10:40:47 CET
A CVE has been assigned for a security issue fixed upstream on October 26:
http://openwall.com/lists/oss-security/2014/10/26/1

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated quassel packages fix security vulnerability:

Due to and out-of-bounds read issue in Quassel core in The ECB Blowfish
decryption function, a malicious client can cause either denial of service or
disclosure of information from process memory by using an improperly formed
message (CVE-2014-8483).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8483
http://bugs.quassel-irc.org/issues/1314
http://openwall.com/lists/oss-security/2014/10/26/1
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.1.mga3
quassel-common-0.9.2-1.1.mga3
quassel-client-0.9.2-1.1.mga3
quassel-core-0.9.2-1.1.mga3
quassel-0.9.2-1.1.mga4
quassel-common-0.9.2-1.1.mga4
quassel-client-0.9.2-1.1.mga4
quassel-core-0.9.2-1.1.mga4

from SRPMS:
quassel-0.9.2-1.1.mga3.src.rpm
quassel-0.9.2-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-27 10:40:53 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-10-27 20:40:48 CET
Updated quassel working fine here at work, Mageia 3 i586.

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK

Comment 2 Rémi Verschelde 2014-10-28 13:40:13 CET
Testing complete Mageia 3 x86_64.

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK

Comment 3 Rémi Verschelde 2014-10-28 14:00:51 CET
Advisory uploaded.

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK advisory

Comment 4 David Walser 2014-10-28 14:05:40 CET
Updated quassel working fine on Mageia 4 i586.

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK advisory => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK advisory

Comment 5 Rémi Verschelde 2014-10-29 09:52:22 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-10-29 12:31:28 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0436.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-29 18:19:04 CET

URL: (none) => http://lwn.net/Vulnerabilities/618455/


Note You need to log in before you can comment on or make changes to this bug.