Debian-LTS has issued an advisory today (September 7): http://lwn.net/Alerts/699791/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to maintainer.
CC: (none) => marja11Assignee: bugsquad => dan
Fixed for both mga5 and cauldron!
CC: (none) => geiger.david68210
Thanks David! libtomcrypt is used by dropbear, which can be used for testing. Advisory: ======================== Updated libtomcrypt packages fix security vulnerability: It was discovered that the implementation of RSA signature verification in libtomcrypt is vulnerable to the Bleichenbacher signature attack. If an RSA key with exponent 3 is used it may be possible to forge a PKCS#1 v1.5 signature signed by that key (CVE-2016-6129). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6129 http://lwn.net/Alerts/699791/ ======================== Updated packages in core/updates_testing: ======================== libtomcrypt0-1.17-7.1.mga5 libtomcrypt-devel-1.17-7.1.mga5 from libtomcrypt-1.17-7.1.mga5.src.rpm
Version: Cauldron => 5Assignee: dan => qa-bugsWhiteboard: MGA5TOO => (none)
MGA55-32 on Acer D620 Xfce No installation issues Used at cli: $ strace -o dropbear.txt dbclient <user>@<host> to connect to other MGA5 desktop Got connected and could display the contents of the users home with "ls" found in trace: open("/lib/libtomcrypt.so.0", O_RDONLY|O_CLOEXEC) = 3 So OK for me
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5 x64 real hardware. Installed the pre-pdate 'libtomcrypt0', which pulled in a couple of other pkgs. Played with it on my single box to see what would happen. As normal user in a terminal: $ dbclient normal_user@localhost First usage said 'localhost' was not in the permitted host list, but continue anyway? Did so, it asked for the user login, and that worked. Not sure whether to exit or logout, both worked. $ dbclient root@localhost Asked for but refused (asked 5 times) the relevant password, then aborted: dbclient: Connection to root@localhost:22 exited: Disconnect received As root in a terminal: # dbclient normal_user@localhost asked again about 'localhost' not in its list, but continued when asked to. Then asked for the user password, and that logged in and functioned OK. UPDATEd to: lib64tomcrypt0-1.17-7.1.mga5 $ strace -o dropbear.txt dbclient root@localhost Refused & aborted as previously. No strace file. # strace -o tmp/dropbear.txt dbclient lewis@localhost lewis@localhost's password: Last login: Sun Nov 6 11:53:27 2016 from localhost.localdomain $ logout The strace file contained: open("/lib64/libtomcrypt.so.0", O_RDONLY|O_CLOEXEC) = 3 Unsure of the significance of all this, but following Herman: OK. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0369.html
Status: NEW => RESOLVEDResolution: (none) => FIXED