A issues in Mono's TLS implementation were discovered and fixed upstream: http://openwall.com/lists/oss-security/2015/03/07/2 The above message notes that the issues are fixed upstream in 3.12.1 (which we can update to in Cauldron), and also links patches for older versions of Mono (which we can use in Mageia 4). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
I'm on it (MGA5)
Status: NEW => ASSIGNED
mono-3.12.1-1.mga5 uploaded for Cauldron. Thanks Matteo!
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
I'm on it (MGA4)
I have uploaded a patched package for Mageia 4. This patched package fixes Mono's TLS stack vulnerabilities. Suggested advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed - SSLv2 support. These vulnerabilities affect basically every Mono version ever released. References: http://openwall.com/lists/oss-security/2015/03/07/2 https://gist.github.com/directhex/f8c6e67f551d8a608154 ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.1.mga4
Status: ASSIGNED => NEWAssignee: matteo.pasotti => qa-bugs
Before we assign to QA, why have you added this patch: https://gist.github.com/directhex/f8c6e67f551d8a608154 but not these?: https://gist.github.com/directhex/728af6f96d1b8c976659 https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b
Assignee: qa-bugs => matteo.pasotti
I'm fixing it right now.
David, mono-3.2.3-5.2.mga4 have been pushed to the bs. It should include all the needed fixes but check it, pls. I'll wait your feedback before assigning to qa.
Looks good Matteo, thanks! Now we just need a complete advisory (I think the one from earlier just referred to the one patch).
I have uploaded a patched package for Mageia 4. This patched package fixes Mono's TLS stack vulnerabilities and drops SSLv2 fallback (fixing some issues). Suggested advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed - SSLv2 support. These vulnerabilities affect basically every Mono version ever released. References: http://openwall.com/lists/oss-security/2015/03/07/2 https://gist.github.com/directhex/f8c6e67f551d8a608154 https://gist.github.com/directhex/728af6f96d1b8c976659 https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/mono-3.2.3-drop_sslv2_fallback.patch?revision=818477&view=co http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/patch3-2.6.7.patch?revision=818473&view=co http://svnweb.mageia.org/packages/updates/4/mono/current/SOURCES/patch1-3.2.8.patch?revision=818428&view=co ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.2.mga4
Assignee: matteo.pasotti => qa-bugs
Thanks Matteo! Advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on the TLS stack, they have discovered two further issues which have been fixed, a vulnerability to a protocol downgrade attack and SSLv2 support still being available. References: http://openwall.com/lists/oss-security/2015/03/07/2 ======================== Updated packages in core/updates_testing: ======================== mono-3.2.3-5.2.mga4 mono-doc-3.2.3-5.2.mga4 libmono0-3.2.3-5.2.mga4 libmono2.0_1-3.2.3-5.2.mga4 mono-data-sqlite-3.2.3-5.2.mga4 libmono-devel-3.2.3-5.2.mga4 mono-winfxcore-3.2.3-5.2.mga4 mono-web-3.2.3-5.2.mga4 mono-data-oracle-3.2.3-5.2.mga4 mono-data-3.2.3-5.2.mga4 mono-extras-3.2.3-5.2.mga4 mono-ibm-data-db2-3.2.3-5.2.mga4 mono-winforms-3.2.3-5.2.mga4 mono-locale-extras-3.2.3-5.2.mga4 mono-data-postgresql-3.2.3-5.2.mga4 mono-nunit-3.2.3-5.2.mga4 monodoc-core-3.2.3-5.2.mga4 mono-rx-core-3.2.3-5.2.mga4 mono-rx-desktop-3.2.3-5.2.mga4 mono-wcf-3.2.3-5.2.mga4 from mono-3.2.3-5.2.mga4.src.rpm
CC: (none) => matteo.pasotti
CVEs have been assigned: http://openwall.com/lists/oss-security/2015/03/17/9 Advisory: ======================== A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria (CVE-2015-2318). During checks on the TLS stack, they have discovered two further issues which have been fixed, a vulnerability to a protocol downgrade attack (CVE-2015-2319) and SSLv2 support still being available (CVE-2013-2320). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2318 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2320 http://openwall.com/lists/oss-security/2015/03/17/9
Summary: mono new TLS implementation security vulnerabilities => mono new TLS implementation security vulnerabilities (CVE-2015-231[89], CVE-2015-2320)
As discussed in the last QA meeting, a good way to test Mono is with the banshee music player. In this case, since the update impacts the TLS implementation, if there's a way to get banshee to connect to something (maybe a music service) via https, that would suffice.
URL: (none) => http://lwn.net/Vulnerabilities/637287/
Debian has issued an advisory for this on March 22: https://www.debian.org/security/2015/dsa-3202
CC: (none) => remiWhiteboard: (none) => has_procedure
(In reply to David Walser from comment #12) > As discussed in the last QA meeting, a good way to test Mono is with the > banshee music player. In this case, since the update impacts the TLS > implementation, if there's a way to get banshee to connect to something > (maybe a music service) via https, that would suffice. There doesn't appear to be. I tried to enqueue HTTPS URLs in Banshee and it refused to play them ("http://..." URLs worked fine). I also noticed it loads data from archive.org from "http://" URLs (According to what wireshark reported). Banshee otherwise works fine.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #14) > (In reply to David Walser from comment #12) > > As discussed in the last QA meeting, a good way to test Mono is with the > > banshee music player. In this case, since the update impacts the TLS > > implementation, if there's a way to get banshee to connect to something > > (maybe a music service) via https, that would suffice. > > There doesn't appear to be. I tried to enqueue HTTPS URLs in Banshee and it > refused to play them ("http://..." URLs worked fine). I also noticed it > loads data from archive.org from "http://" URLs (According to what wireshark > reported). Banshee otherwise works fine. OK, Banshee is working on MGA4-i586 and MGA4-x86-64 VMs (without using https://). Tested an HTTP .ogg, an HTTP .mp3 and an Internet Archive stream. With the MGA4-i586 version there was a problem with playing .ogg files from remote locations - http://localhost/ .oggs and and remote .mp3s worked fine. Validating. Regards, -- Shlomi Fish
Whiteboard: has_procedure => MGA4-64-OK has_procedure MGA4-32-OK
Thanks Shlomi
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0156.html
Status: NEW => RESOLVEDResolution: (none) => FIXED