Debian has issued an advisory on August 27: https://www.debian.org/security/2017/dsa-3956 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
More info here: http://www.openwall.com/lists/oss-security/2017/08/29/6
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Rather than open a new bug report, I will simply note that the current version is 1.35, which I assume addresses the bug. It seems preferable to update.
CC: (none) => waterbearer54
Cauldron updated to 1.35 on October 12 by Shlomi, which does indeed fix the issue.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Advisory: ======================== Updated connman packages fix security vulnerability: Security consultants in NRI Secure Technologies discovered a stack overflow vulnerability in ConnMan. An attacker with control of the DNS responses to the DNS proxy in ConnMan might crash the service and, in same cases, remotely execute arbitrary commands in the host running the service (CVE-2017-12865). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17439 https://www.debian.org/security/2017/dsa-3956 ======================== Updated packages in core/updates_testing: ======================== connman-1.24-4.1.mga5 connman-devel-1.24-4.1.mga5 connman-1.33-6.1.mga6 connman-devel-1.33-6.1.mga6 from SRPMS: connman-1.24-4.1.mga5.src.rpm connman-1.33-6.1.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
As noted in the Debian link, this has been fixed in connman 1.35 which I have successfully installed on a Mga6 machine in an unsuccessful attempt to fix Bug 19344. It should be simple enough to push to Mga6.
It's not necessary to update it for Mageia 6. The patch will suffice.
MGA5-32 on Dell Latitude D600 Xfce No installation issues Looking for info found https://wiki.archlinux.org/index.php/ConnMan, so # systemctl start connman # systemctl -l status connman ● connman.service - Connection service Loaded: loaded (/usr/lib/systemd/system/connman.service; disabled) Active: active (running) since ma 2018-01-01 16:21:43 CET; 4s ago Main PID: 15587 (connmand) CGroup: /system.slice/connman.service ├─15587 /usr/sbin/connmand -n └─15607 /sbin/modprobe ip_tables -q jan 01 16:21:44 mach6.hviaene.thuis connmand[15587]: Connection Manager version 1.24 Found in repos econnman, installed that, but # econnman-bin Traceback (most recent call last): File "/usr/bin/econnman-bin", line 45, in <module> import elementary as elm ImportError: No module named elementary Tutorial explains "ConnMan has a standard command line client connmanctl. It can run in 2 modes: " etc .... but this is not in our packaging AFAICS. If someone judges being able to run the service is enough, plse OK it then.
CC: (none) => herman.viaene
connmanctl is part of the connman package. As noted in the Arch wiki, simply open a terminal and either enter "connmanctl <command>" to enter a specific command, or "connmanctl" and a prompt will open to allow interactive use.
I should also have commented that elementary and elm are parts of Enlightenment, so if you are not running them the ImportError is to be expected.
@ Comment 9 I can read the wiki, see my comment above Entering at CLI: # conn<TAB> returns connmand connman-vpnd thus no connmanctl I looked at the provided files in MCC, no connmanctl there and # urpmf --verbose connmanctl using fast algorithm getting lock on urpmi using mirror http://mirror.netcologne.de/mageia/distrib/5/i586 getting information from /var/lib/urpmi/Core Release (distrib1)/files.xml.lzma getting information from /var/lib/urpmi/Core Updates (distrib3)/files.xml.lzma getting information from /var/lib/urpmi/Core Updates Testing (distrib5)/files.xml.lzma getting information from /var/lib/urpmi/Nonfree Release (distrib11)/files.xml.lzma getting information from /var/lib/urpmi/Nonfree Updates (distrib13)/files.xml.lzma getting information from /var/lib/urpmi/Tainted Release (distrib21)/files.xml.lzma getting information from /var/lib/urpmi/Tainted Updates (distrib23)/files.xml.lzma unlocking urpmi database That seems not much either to me.
My apologies. I shouldn't do these things when tired. From looking at the 1.24, 1.33 and 1.35 SRPMs, the latter two have provisions for connmanctl and its man entries in the %file section. I am not sure why this was missing before as connmanctl has been around since version 1.7. If no one has missed connmanctl in 1.24, I suppose the rebuild is not worth it as mga5 is near EOL.
Likely no one is actually using it. As it's intended for embedded systems, not normal installs, validating this one based on the update installing cleanly over the prior version.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0036.html
Status: NEW => RESOLVEDResolution: (none) => FIXED