Fedora has issued an advisory on April 3: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181143.html As the upstream announcement notes, version 1.0.12 fixes some crashes and memory leaks, as well as well as a race condition that could lead to an information leak (CVE-2016-0764): https://mail.gnome.org/archives/networkmanager-list/2016-April/msg00000.html https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181143.html
Assignee: olav => bugsquad
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Well! done for 1.0.12 upstream release: Packages in 5/core/updates_testing: ======================== networkmanager-1.0.12-1.mga5.i586.rpm networkmanager-tui-1.0.12-1.mga5.i586.rpm libnm0-1.0.12-1.mga5.i586.rpm libnm-devel-1.0.12-1.mga5.i586.rpm libnm-util2-1.0.12-1.mga5.i586.rpm libnetworkmanager-gir1.0-1.0.12-1.mga5.i586.rpm libnm-util-devel-1.0.12-1.mga5.i586.rpm libnm-glib4-1.0.12-1.mga5.i586.rpm libnmclient-gir1.0-1.0.12-1.mga5.i586.rpm libnm-glib-devel-1.0.12-1.mga5.i586.rpm libnm-glib-vpn1-1.0.12-1.mga5.i586.rpm libnm-glib-vpn-devel-1.0.12-1.mga5.i586.rpm networkmanager-1.0.12-1.mga5.x86_64.rpm networkmanager-tui-1.0.12-1.mga5.x86_64.rpm lib64nm0-1.0.12-1.mga5.x86_64.rpm lib64nm-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-util2-1.0.12-1.mga5.x86_64.rpm lib64networkmanager-gir1.0-1.0.12-1.mga5.x86_64.rpm lib64nm-util-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-glib4-1.0.12-1.mga5.x86_64.rpm lib64nmclient-gir1.0-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-devel-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-vpn1-1.0.12-1.mga5.x86_64.rpm lib64nm-glib-vpn-devel-1.0.12-1.mga5.x86_64.rpm Source RPM: ======================== networkmanager-1.0.12-1.mga5.src.rpm
CC: (none) => geiger.david68210
Thanks David! Here's a preliminary advisory. Do any other networkmanager-* SRPMS need to be updated too? Advisory: ======================== Updated networkmanager package fixes security vulnerability: NetworkManager before 1.0.12 is vulnerable to a race condition that could lead to a local information leak (CVE-2016-0764). The networkmanager package has been updated to version 1.0.12, which fixes this issue and several other bugs. See the upstream NEWS file for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0764 https://mail.gnome.org/archives/networkmanager-list/2016-April/msg00000.html https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181143.html
1.0.12 regresses on some wireless drivers https://bugzilla.gnome.org/show_bug.cgi?id=763388
CC: (none) => tmb
the patch is here : https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=0f6febc6fbeafde62e6e0a8c12f57204d94166f
CC: (none) => makowski.mageia
So there is a new set of updated packages with the mentioned patch by Philippe in comment 5 Packages in 5/core/updates_testing: ======================== networkmanager-1.0.12-1.1.mga5 networkmanager-tui-1.0.12-1.1.mga5 libnm0-1.0.12-1.1.mga5 libnm-devel-1.0.12-1.1.mga5 libnm-util2-1.0.12-1.1.mga5 libnetworkmanager-gir1.0-1.0.12-1.1.mga5 libnm-util-devel-1.0.12-1.1.mga5 libnm-glib4-1.0.12-1.1.mga5 libnmclient-gir1.0-1.0.12-1.1.mga5 libnm-glib-devel-1.0.12-1.1.mga5 libnm-glib-vpn1-1.0.12-1.1.mga5 libnm-glib-vpn-devel-1.0.12-1.1.mga5 lib64nm0-1.0.12-1.1.mga5 lib64nm-devel-1.0.12-1.1.mga5 lib64nm-util2-1.0.12-1.1.mga5 lib64networkmanager-gir1.0-1.0.12-1.1.mga5 lib64nm-util-devel-1.0.12-1.1.mga5 lib64nm-glib4-1.0.12-1.1.mga5 lib64nmclient-gir1.0-1.0.12-1.1.mga5 lib64nm-glib-devel-1.0.12-1.1.mga5 lib64nm-glib-vpn1-1.0.12-1.1.mga5 lib64nm-glib-vpn-devel-1.0.12-1.1.mga5 Source RPM: ======================== networkmanager-1.0.12-1.1.mga5.src.rpm
Is this ready for QA, or do the other networkmanager packages need to be updated to 1.0.12 too?
I would says yes it is ready for QA, others networkmanager packages seems to be not affected.
There is another issue affecting networkmanager through the libndp library: http://openwall.com/lists/oss-security/2016/05/17/9 https://rhn.redhat.com/errata/RHSA-2016-1086.html (CVE-2016-3698)
Depends on: (none) => 18477
Assigning to QA. Advisory in Comment 3, package list in Comment 6.
Assignee: pkg-bugs => qa-bugs
Testing complete mga5 64 See here for how to switch to networkmanager. https://forums.mageia.org/en/viewtopic.php?f=25&t=5782 I use NM on my laptop, it seems better at managing multiple networks. Installed updates & rebooted to ensure network was started from cold. Accessed using nm-applet and also checked nmtui in a terminal which gives a useful curses interface.
Whiteboard: (none) => has_procedure mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0195.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: http://lwn.net/Vulnerabilities/682388/ => http://lwn.net/Vulnerabilities/688456/