Bug 25864 - shadowsocks-libev new security issues CVE-2019-5163 and CVE-2019-5164
Summary: shadowsocks-libev new security issues CVE-2019-5163 and CVE-2019-5164
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-12 23:42 CET by David Walser
Modified: 2020-01-05 16:39 CET (History)
7 users (show)

See Also:
Source RPM: shadowsocks-libev-3.2.3-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-12 23:42:24 CET 
openSUSE has issued an advisory on December 11:
https://lists.opensuse.org/opensuse-updates/2019-12/msg00070.html

Mageia 7 is also affected.
Comment 1 David Walser 2019-12-12 23:42:50 CET 
The issues are fixed upstream in 3.3.3.

CC: (none) => eatdirt
Whiteboard: (none) => MGA7TOO

Comment 2 David GEIGER 2019-12-13 03:55:24 CET 
Already done for Cauldron!

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2019-12-13 03:58:16 CET 
And now done for mga7!
Comment 4 David Walser 2019-12-13 04:25:00 CET 
Advisory:
========================

Updated shadowsocks-libev packages fix security vulnerabilities:

Exploitable denial-of-service vulnerability exists in the UDPRelay
functionality (CVE-2019-5163).

Code execution vulnerability in the ss-manager binary (CVE-2019-5164).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5164
https://lists.opensuse.org/opensuse-updates/2019-12/msg00070.html
========================

Updated packages in core/updates_testing:
========================
shadowsocks-libev-3.3.3-1.mga7
libshadowsocks2-3.3.3-1.mga7
libshadowsocks-devel-3.3.3-1.mga7

from shadowsocks-libev-3.3.3-1.mga7.src.rpm

CC: (none) => olav
Source RPM: shadowsocks-libev-3.3.0-1.mga8.src.rpm => shadowsocks-libev-3.2.3-2.mga7.src.rpm
Version: Cauldron => 7
Assignee: olav => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 5 Herman Viaene 2020-01-04 14:14:24 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Bug 22037 decided OK on clean install.Did a little research and found: https://www.tipsforchina.com/how-to-setup-a-fast-shadowsocks-server-on-vultr-vps-the-easy-way.html
Does look like something I want to venture into.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2020-01-04 23:20:47 CET 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 13:55:58 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-01-05 16:39:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0006.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.