Upstream has issued an advisory today (January 9): https://www.kde.org/info/security/advisory-20150109-1.txt It was noted that a CVE exists for this issue: http://www.openwall.com/lists/oss-security/2015/01/09/3 Upstream commits to fix the issue are linked. The issue affects both KDE4 and KF5. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA4TOO
Blocks: (none) => 14674
This kwalletd vulnerability is fixed in Cauldron with: - kdebase4-runtime 4.14.3-3 (KDE SC 4.14), - kwallet 5.5.0-2 (KF5).
Source RPM: kwallet => kdebase4-runtime-4.12.5-1.2.mga4Blocks: 14674 => (none)Version: Cauldron => 4Hardware: i586 => AllWhiteboard: MGA4TOO => (none)
Fedora has issued an advisory for this on January 12: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html
URL: (none) => http://lwn.net/Vulnerabilities/629676/
src.rpm: kdebase4-runtime-4.12.5-1.3.mga4.src.rpm packages i586: kdebase4-runtime-4.12.5-1.3.mga4.i586.rpm kdebase4-runtime-devel-4.12.5-1.3.mga4.i586.rpm kdebase4-runtime-handbook-4.12.5-1.3.mga4.noarch.rpm kwallet-daemon-4.12.5-1.3.mga4.i586.rpm libkwalletbackend4-4.12.5-1.3.mga4.i586.rpm libmolletnetwork4-4.12.5-1.3.mga4.i586.rpm nepomuk-4.12.5-1.3.mga4.i586.rpm packages x86_64: kdebase4-runtime-4.12.5-1.3.mga4.x86_64.rpm kdebase4-runtime-devel-4.12.5-1.3.mga4.x86_64.rpm kdebase4-runtime-handbook-4.12.5-1.3.mga4.noarch.rpm kwallet-daemon-4.12.5-1.3.mga4.x86_64.rpm lib64kwalletbackend4-4.12.5-1.3.mga4.x86_64.rpm lib64molletnetwork4-4.12.5-1.3.mga4.x86_64.rpm nepomuk-4.12.5-1.3.mga4.x86_64.rpm I will write the advisory later (too late this evening), but testing by QA can start.
Summary: kwallet new security issue CVE-2013-7252 => kwalletd new security issue CVE-2013-7252Assignee: lmenut => qa-bugs
Blocks: (none) => 14851CC: (none) => lmenut
Still need an advisory please Luc
or David
Advisory: ======================== Updated kdebase4-runtime packages fix security vulnerability: kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack (CVE-2013-7252). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7252 https://www.kde.org/info/security/advisory-20150109-1.txt https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html
Testing complete mga4 64 Ensured nepomuk was enabled in kde settings (search settings) and kwallet subsystem in kde wallet manager settings. Used konqueror to store a login/password and verified it was stored in kwallet. Deleted the wallet, as it was only used for testing.
Whiteboard: (none) => has_procedure mga4-64-ok
This update has some additional fixes, so I proposes to add to advisory: This update also fixes some additional issues: - encoding in KDEsuDialog (mga#14851) - kio_sftp can corrupts files when reading (bko#342391) - use euro currency for Lithuania - save the default file manager, email client and browser in mimeapps.list [Default Applications] for a better interoperability with most of GTK applications (mga#4461) and for references: https://bugs.mageia.org/show_bug.cgi?id=14851 https://bugs.kde.org/show_bug.cgi?id=342391 https://bugs.mageia.org/show_bug.cgi?id=4461
Thanks Luc. Advisory: ======================== Updated kdebase4-runtime packages fix security vulnerability: kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack (CVE-2013-7252). This update also fixes some additional issues: - encoding in KDEsuDialog (mga#14851) - kio_sftp can corrupts files when reading (bko#342391) - use euro currency for Lithuania - save the default file manager, email client and browser in mimeapps.list [Default Applications] for a better interoperability with most of GTK applications (mga#4461) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7252 https://www.kde.org/info/security/advisory-20150109-1.txt https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html https://bugs.kde.org/show_bug.cgi?id=342391 https://bugs.mageia.org/show_bug.cgi?id=14851 https://bugs.mageia.org/show_bug.cgi?id=4461 https://bugs.mageia.org/show_bug.cgi?id=14997
Testing completed mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0044.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This may have caused a regression with weather plasmoids. They appear unable to connect. Previously we've had an issue with plasmoids expecting networkmanager. Is it possible we've lost a patch?
yawp is still working fine for me on two machines and a VM with this update.
Have you rebooted since installing it?
yes