Fedora has issued an advisory on November 7: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145190.html They also did the same for plasma-networkmanagement, but as far as I can tell, we don't have that packaged. I'm not sure if plasma5-nm is affected, but it probably is. Fedora has added upstream patches to fix this, and the upstream bug links git commits: http://pkgs.fedoraproject.org/cgit/kde-plasma-nm.git/commit/?h=f20&id=70e3d766e0acff18e49fabc8b6041018902bb95b https://bugs.kde.org/show_bug.cgi?id=341069 Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
(In reply to David Walser from comment #0) > Fedora has issued an advisory on November 7: > https://lists.fedoraproject.org/pipermail/package-announce/2014-December/ > 145190.html The Fedora update to Plasma-nm 0.9.3.5 release is not related to this vulnerability. This is https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html > > They also did the same for plasma-networkmanagement, but as far as I can > tell, we don't have that packaged. > > I'm not sure if plasma5-nm is affected, but it probably is. yep, probably, but unfortunately they forgot to push the fix in the branch Plasma/5.1 that is used to make the upcoming Plasma 5.1.2 :-( > > Fedora has added upstream patches to fix this, and the upstream bug links > git commits: > http://pkgs.fedoraproject.org/cgit/kde-plasma-nm.git/commit/ > ?h=f20&id=70e3d766e0acff18e49fabc8b6041018902bb95b > https://bugs.kde.org/show_bug.cgi?id=341069 > > Mageia 4 is also affected. > > Reproducible: > > Steps to Reproduce:
Hardware: i586 => All
Oops, I did indeed use the wrong Fedora link. It is indeed this one from December 4: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html Sorry about that. I thought that date looked wrong.
plasma-nm and plasma5-nm are fixed in Cauldron with - plasma-nm-0.9.3.5-2.mga5 (upstream patches from branch 0.9.3), - plasma5-nm-5.1.2-2.mga5 (upstream patches from branch master).
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4Source RPM: plasma-nm-0.9.3.5-1.mga5.src.rpm => plasma-nm-0.9.3.2-1.mga4.src.rpm
Suggested advisory: Updated plasma-applet-nm packages add OpenVPN option for server certificate verification Plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. This update add option to the OpenVPN plugin for server certificate verification. References: https://bugs.mageia.org/show_bug.cgi?id=14812 https://bugs.kde.org/show_bug.cgi?id=341069 http://lwn.net/Vulnerabilities/626419 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146024.html src.rpm: plasma-nm-0.9.3.2-1.1.mga4.src.rpm packages for i586: plasma-applet-nm-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-openconnect-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-openvpn-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-pptp-0.9.3.2-1.1.mga4.i586.rpm plasma-applet-nm-vpnc-0.9.3.2-1.1.mga4.i586.rpm packages for x86_64: plasma-applet-nm-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-openconnect-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-openvpn-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-pptp-0.9.3.2-1.1.mga4.x86_64.rpm plasma-applet-nm-vpnc-0.9.3.2-1.1.mga4.x86_64.rpm
CC: (none) => lmenutAssignee: lmenut => qa-bugs
MGA4-64 on HP Probook 6555b KDE and MGA-32 on Acer D620 Xfce. No installation issues.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0560.html
Status: NEW => RESOLVEDResolution: (none) => FIXED