CVEs have been assigned for security issues fixed upstream in polarssl: http://openwall.com/lists/oss-security/2014/11/06/4 The issues were fixed in version 1.3.9: https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Freeze push requested for Cauldron. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated polarssl packages fix security vulnerability: A regression in PolarSSL 1.3.8 resulted in servers negotiating a weaker signature algorithm than available. This has been fixed in PolarSSL 1.3.9 (CVE-2014-8627). Two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in PolarSSL 1.3.9 (CVE-2014-8628). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8628 https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released http://openwall.com/lists/oss-security/2014/11/06/4 ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.9-1.mga3 libpolarssl7-1.3.9-1.mga3 libpolarssl-devel-1.3.9-1.mga3 polarssl-1.3.9-1.mga4 libpolarssl7-1.3.9-1.mga4 libpolarssl-devel-1.3.9-1.mga4 from SRPMS: polarssl-1.3.9-1.mga3.src.rpm polarssl-1.3.9-1.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11459#c7
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Tested Mageia 3 i586 and Mageia 4 i586 using Claire's procedure from Comment 2. pdns worked fine. polarssl-selftest passed all of the tests. On Mageia 4, the first few times I ran it the TIMING test #3 (hardclock) failed, both with polarssl 1.3.8 and 1.3.9, but the last time I ran it with 1.3.9 it passed. On Mageia 3 it always passed.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory
OpenSuSE has issued an advisory for this today (November 19): http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html
URL: (none) => http://lwn.net/Vulnerabilities/622002/
Testing on Mageia 3-64 real HW Using procedure mentionned in Comment 2 Current packages : ---------------- # rpm -q polarssl polarssl-1.3.8-1.mga3 # polarssl-selftest [ All tests passed ] In pdns.conf set listen on port 5300 (local-port=5300 at the end of the file) # dig www.example.com A @127.0.0.1 -p 5300 gave expected results Stopped pdns service Updated to testing packages : --------------------------- - lib64polarssl-devel-1.3.9-1.mga3.x86_64 - lib64polarssl7-1.3.9-1.mga3.x86_64 - polarssl-1.3.9-1.mga3.x86_64 polarssl-selftest => all tests passed Started pdns service # dig www.example.com A @127.0.0.1 -p 5300 gave expected results MGA3-64 passed.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK advisory
Validating, it's been well tested already.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0481.html
Status: NEW => RESOLVEDResolution: (none) => FIXED