Fedora has issue an advisory on October 17: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141493.html I don't know whether or not this should be updated in Mageia 3 or Mageia 4, but we should at least update it in Cauldron. Reproducible: Steps to Reproduce:
Yes it seems worth an update, I'll try to work on it
Test of no longer hardcoding SSLv3: [pterjan@chopin-cauldron-64 ruby-httpclient]$ httpclient get https://www.google.co.jp/?q=ruby 2>&1 | grep 'Protocol version' Protocol version: SSLv3 [pterjan@chopin-cauldron-64 ruby-httpclient]$ httpclient get https://www.google.co.jp/?q=ruby 2>&1 | grep 'Protocol version' Protocol version: TLSv1.2
Uploaded to 3 and 4 updates_testing Before: $ httpclient get https://mageia.org/ 2>/dev/null | grep title "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href=\"https://www.mageia.org/\">here</a>.</p>\n<hr>\n<address>Apache/2.2.25 (Mageia/PREFORK-1.mga2) Server at mageia.org Port 443</address>\n</body></html>\n", $ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version' Protocol version: SSLv3 After: $ httpclient get https://mageia.org/ 2>/dev/null | grep title "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href=\"https://www.mageia.org/\">here</a>.</p>\n<hr>\n<address>Apache/2.2.25 (Mageia/PREFORK-1.mga2) Server at mageia.org Port 443</address>\n</body></html>\n", $ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version' Protocol version: TLSv1
Committed advisory: type: security subject: Updated ruby-httpclient package enables SSL negotiation CVE: - CVE-2014-3566 src: 3: core: - ruby-httpclient-2.4.0-1.mga3 4: core: - ruby-httpclient-2.4.0-1.mga4 description: | This new version enables SSL negotiation instead of hardcoding SSLv3. references: - https://bugs.mageia.org/show_bug.cgi?id=14404
Assignee: pterjan => qa-bugs
Thanks. I don't know that listing CVE-2014-3566 in the CVE section of the advisory is really appropriate, since this technically doesn't fix that CVE (which is technically unfixable), it just mitigates it. I don't think any distro has handled that technicality consistently though :o( To QA team: see verification procedure in Comment 3.
Version: Cauldron => 4Whiteboard: (none) => MGA3TOO has_procedure
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory
Testing on Mageia4-64 real hardware following procedure in Comment 3. With current package : ruby-httpclient-2.3.4.1-4.mga4.noarch $ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version' Protocol version: SSLv3 With update testing package : ruby-httpclient-2.4.0-1.mga4.noarch $ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version' Protocol version: TLSv1 OK
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure advisory MGA4-64-OK
Testing on Mageia3-64 real hardware Followed same procedure but with current package and update testing package, there was a blank after Protocole version : ($ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version' Protocol version: ) Couldn't confirm the bug is actually fixed in Mageia3
Testing finished i validate this. Sysadmins push this to updates.
Keywords: (none) => validated_updateCC: (none) => ozkyster, sysadmin-bugsWhiteboard: MGA3TOO has_procedure advisory MGA4-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK
Testing Mageia 3 i586. I have the same results as Olivier. The protocol version is blank, but this is true before and after the update, so not a regression. Otherwise, it still works fine. We know the issue is fixed in 2.4.0, so this is sufficient.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0489.html
Status: NEW => RESOLVEDResolution: (none) => FIXED