A CVE has been requested for a security issue fixed in libtasn1 4.4: http://openwall.com/lists/oss-security/2015/03/29/4 The upstream commit to fix the issue is linked in the message above. Mageia 4 and Mageia 5 are affected. I've patched the versions in Mageia 4 and Cauldron SVN locally with the upstream commit and both build fine and pass their test suite. Waiting for the CVE before committing. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Blocks: (none) => 14674
CVE-2015-2806: http://openwall.com/lists/oss-security/2015/03/31/2
CC: (none) => oe
Summary: libtasn1 new security issue fixed upstream in 4.4 => CVE-2015-2806: libtasn1 new security issue fixed upstream in 4.4
Patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron.
Summary: CVE-2015-2806: libtasn1 new security issue fixed upstream in 4.4 => libtasn1 new security issue fixed upstream in 4.4 (CVE-2015-2806)
Patched packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=5128#c10 Advisory: ======================== Updated libtasn1 packages fix security vulnerability: The libtasn1 library before version 4.4 is vulnerable to a two-byte stack overflow in asn1_der_decoding (CVE-2015-2806). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2806 http://openwall.com/lists/oss-security/2015/03/31/2 ======================== Updated packages in core/updates_testing: ======================== libtasn1_6-3.6-1.1.mga4 libtasn1-tools-3.6-1.1.mga4 libtasn1-devel-3.6-1.1.mga4 from libtasn1-3.6-1.1.mga4.src.rpm
Version: Cauldron => 4Blocks: 14674 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
I repeated Claire's test from here: https://bugs.mageia.org/show_bug.cgi?id=13456#c1 Same results on Mageia 4 i586 with the update.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0128.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/639035/