24479 – mumble new security issue CVE-2018-20743

Bug 24479 - mumble new security issue CVE-2018-20743

Summary: mumble new security issue CVE-2018-20743

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2019-03-08 21:18 CET by David Walser
Modified:	2019-04-11 00:08 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	mumble-1.2.19-6.mga7.src.rpm
CVE:
Status comment:	Patch available from Debian

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-03-08 21:18:58 CET

Debian has issued an advisory on March 5:
https://www.debian.org/security/2019/dsa-4402

Mageia 6 is also affected.

David Walser 2019-03-08 21:19:07 CET

Whiteboard: (none) => MGA6TOO
CC: (none) => geiger.david68210

David Walser 2019-03-09 02:25:06 CET

Assignee: bugsquad => geiger.david68210

David Walser 2019-03-09 17:34:05 CET

Status comment: (none) => Patch available from Debian

Comment 1 Mike Rambo 2019-04-02 22:23:45 CEST

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated mumble package fixes security vulnerability:

It was discovered that insufficient restrictions in the connection handling of Mumble, a low latency encrypted VoIP client, could result in denial of service (CVE-2018-20743).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20743
https://security-tracker.debian.org/tracker/CVE-2018-20743
https://www.debian.org/security/2019/dsa-4402
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.19-1.1.mga6
mumble-1.2.19-plugins-1.1.mga6
mumble-1.2.19-protocol-kde4-1.1.mga6
mumble-1.2.19-protocol-plasma5-1.1.mga6
mumble-1.2.19-server-1.1.mga6
mumble-1.2.19-server-web-1.1.mga6

from mumble-1.2.19-1.1.mga6.src.rpm

Testing procedure https://bugs.mageia.org/show_bug.cgi?id=6511#c29

Whiteboard: MGA6TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 6
Keywords: (none) => has_procedure
CC: (none) => mrambo

Comment 2 Ulrich Beckmann 2019-04-09 19:21:47 CEST

I installed mumble, tested the configuration workflow with pavucontrol, created a certificate automatically, and connected to an external server.

I got confirmation that I was heard. Everything looks fine.

Not tested mumble-server yet.

Ulrich 

Installed Packages
mumble.x86_64                                                                    1.2.19-1.1.mga6                                                    @updates_testing-x86_64
mumble-plugins.x86_64                                                            1.2.19-1.1.mga6                                                    @updates_testing-x86_64
mumble-server.x86_64                                                             1.2.19-1.1.mga6                                                    @updates_testing-x86_64

Available Packages
mumble-protocol-kde4.x86_64                                                      1.2.19-1.1.mga6                                                    updates_testing-x86_64
mumble-protocol-plasma5.x86_64                                                   1.2.19-1.1.mga6                                                    updates_testing-x86_64
mumble-server-web.x86_64                                                         1.2.19-1.1.mga6                                                    updates_testing-x86_64

CC: (none) => bequimao.de

Comment 3 Ulrich Beckmann 2019-04-09 19:52:35 CEST

Testing mumble server after reboot:

[root@mga6-clone ~]# systemctl list-units | grep mumble
  session-c1.scope                                                                                loaded active abandoned Session c1 of user mumble-server
  mumble-server.service                                                                           loaded active exited    LSB: Mumble VoIP Server
  user-973.slice                                                                                  loaded active active    User Slice of mumble-server

Just added localhost (127.0.0.1) to the server-list and connected to it.
You'll get a voice message when connecting or disconnecting.
Everything works fine. Nothing to configure in config files. The testing procedure seems outdated.

Best regards
Ulrich

Whiteboard: (none) => MGA6-64-OK

Comment 4 Dave Hodgins 2019-04-10 23:08:11 CEST

Advisory committed to svn. Validating based on comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2019-04-11 00:08:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0145.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.