Bug 15779 - quassel new security issue CVE-2015-3427
Summary: quassel new security issue CVE-2015-3427
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/642884/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-27 17:13 CEST by David Walser
Modified: 2015-05-01 18:10 CEST (History)
1 user (show)

See Also:
Source RPM: quassel-0.9.2-1.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-27 17:13:56 CEST
A CVE has been assigned for a security issue fixed upstream in Quassel:
http://openwall.com/lists/oss-security/2015/04/27/3

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-27 17:14:02 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-28 00:02:37 CEST
Patched packages uploaded for Mageia 4 and Cauldron.

This fix is due to an incorrect/incomplete fix for CVE-2013-4422 (Bug 11443).

Advisory:
========================

Updated quassel packages fix security vulnerability:

Quassel is vulnerable to SQL injection through its use of Qt's postgres driver.
If the PostgreSQL server is restarted or the connection is lost at any point,
other IRC users may be able to trick the Quassel core into executing SQL
queries upon reconnection (CVE-2015-3427).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3427
http://openwall.com/lists/oss-security/2015/04/27/3
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.3.mga4
quassel-common-0.9.2-1.3.mga4
quassel-client-0.9.2-1.3.mga4
quassel-core-0.9.2-1.3.mga4

from quassel-0.9.2-1.3.mga4.src.rpm

Whiteboard: MGA5TOO, MGA4TOO => (none)
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-04-28 00:43:15 CEST
Working fine Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 3 claire robinson 2015-04-28 19:16:48 CEST
Testing complete mga4 64

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => advisory MGA4-32-OK mga4-64-ok

Comment 4 Mageia Robot 2015-04-30 23:58:17 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-01 18:10:14 CEST

URL: (none) => http://lwn.net/Vulnerabilities/642884/


Note You need to log in before you can comment on or make changes to this bug.