Description of problem: New version is out 1.3.1 with fix Potential exploit Fixed: Potential exploit in the OCB2 encryption (#4227) changelog : https://www.mumble.info/blog/mumble-1.3.1-release-announcement/ Archive : https://github.com/mumble-voip/mumble/releases/tag/1.3.1
Source RPM: (none) => mumble-1.3.0-1.mga7.x86_64.rpm
Assigning to QA, Advisory: ======================== Updated mumble package fixes security vulnerability: OCB2 is known to be broken under certain conditions: https://eprint.iacr.org/2019/311 To execute the universal attacks described in the paper, an attacker needs access to an encryption oracle that allows it to perform encryption queries with attacker-chosen nonce. Luckily in Mumble the encryption nonce is a fixed counter which is far too restrictive for the universal attacks to be feasible against Mumble. The basic attacks do not require an attacker-chosen nonce and as such are more applicable to Mumble. They are however of limited use and do require an en- and a decryption oracle which Mumble seemingly does not provide at the same time. To be on the safe side, this commit implements the counter-cryptanalysis measure described in the paper in section 9 for the sender and receiver side. This way if either server of client are patched, their communication is almost certainly (merely lacking formal proof) not susceptible to the attacks described in the paper. Fixed: Potential exploit in the OCB2 encryption (#4227) References: https://github.com/mumble-voip/mumble/issues/4219 https://github.com/mumble-voip/mumble/pull/4227 ======================== Packages in 7/core/updates_testing: ======================== mumble-1.3.1-1.mga7.i586.rpm mumble-protocol-plasma5-1.3.1-1.mga7.i586.rpm mumble-plugins-1.3.1-1.mga7.i586.rpm mumble-server-1.3.1-1.mga7.i586.rpm mumble-server-web-1.3.1-1.mga7.i586.rpm mumble-1.3.1-1.mga7.x86_64.rpm mumble-protocol-plasma5-1.3.1-1.mga7.x86_64.rpm mumble-plugins-1.3.1-1.mga7.x86_64.rpm mumble-server-1.3.1-1.mga7.x86_64.rpm mumble-server-web-1.3.1-1.mga7.x86_64.rpm Source RPM: ======================== mumble-1.3.1-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: bugsquad => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Trying to find info in older updates. ref bug 6511 At CLI: # systemctl restart httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-06-20 14:25:39 CEST; 12s ago Main PID: 17266 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 27 (limit: 4915) Memory: 34.5M CGroup: /system.slice/httpd.service ├─17266 /usr/sbin/httpd -DFOREGROUND ├─17269 /usr/sbin/httpd -DFOREGROUND ├─17270 /usr/sbin/httpd -DFOREGROUND ├─17272 /usr/sbin/httpd -DFOREGROUND ├─17280 /usr/sbin/httpd -DFOREGROUND ├─17285 /usr/sbin/httpd -DFOREGROUND └─17290 /usr/sbin/httpd -DFOREGROUND Jun 20 14:25:38 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Jun 20 14:25:39 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl start mumble-server # systemctl -l status mumble-server ● mumble-server.service - LSB: Mumble VoIP Server Loaded: loaded (/etc/rc.d/init.d/mumble-server; generated) Active: active (running) since Sat 2020-06-20 14:26:25 CEST; 28s ago Docs: man:systemd-sysv-generator(8) Process: 20071 ExecStart=/etc/rc.d/init.d/mumble-server start (code=exited, status=0/SUCCESS) Tasks: 7 (limit: 4915) Memory: 11.2M CGroup: /system.slice/mumble-server.service └─20087 /usr/sbin/murmurd -ini /etc/mumble-server.ini Jun 20 14:26:23 mach5.hviaene.thuis systemd[1]: Starting LSB: Mumble VoIP Server... Jun 20 14:26:23 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session opened for user mumble-server by (uid=0) Jun 20 14:26:25 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session closed for user mumble-server Jun 20 14:26:25 mach5.hviaene.thuis mumble-server[20071]: Starting mumble-server: [ OK ] Jun 20 14:26:25 mach5.hviaene.thuis systemd[1]: Started LSB: Mumble VoIP Server. Did the updates in /etc/mumble-server.ini and then tried to connect http://www.webserver.com/cgi-bin/mumble-server/register.cgi gives Yahoo Logo Will be right back... Thank you for your patience. Our engineers are working quickly to resolve the issue. and http://localhost/cgi-bin/mumble-server/weblist.cgi (or https for that matter) gives Object not found! The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. If you think this is a server error, please contact the webmaster. Error 404
CC: (none) => herman.viaene
openSUSE has issued an advisory for this on July 20: https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00050.html It looks like you may want to update to 1.3.2, it fixes another bug.
Keywords: (none) => feedbackQA Contact: (none) => securityComponent: RPM Packages => Security
Done! Packages in 7/core/updates_testing: ======================== mumble-1.3.2-1.mga7.i586.rpm mumble-protocol-plasma5-1.3.2-1.mga7.i586.rpm mumble-plugins-1.3.2-1.mga7.i586.rpm mumble-server-1.3.2-1.mga7.i586.rpm mumble-server-web-1.3.2-1.mga7.i586.rpm mumble-1.3.2-1.mga7.x86_64.rpm mumble-protocol-plasma5-1.3.2-1.mga7.x86_64.rpm mumble-plugins-1.3.2-1.mga7.x86_64.rpm mumble-server-1.3.2-1.mga7.x86_64.rpm mumble-server-web-1.3.2-1.mga7.x86_64.rpm Source RPM: ======================== mumble-1.3.2-1.mga7.src.rpm
Keywords: feedback => (none)
Installed 1.3.2-1, and got the same result as in Comment 2. Checked the configuration files, and got the impression from /etc/mumble-server.ini, that this thingy needs sqlite up and running. Someone with more knowledge can check this, please???
Mga7 64 Mumble & mumble-server tested ok. Installed both and connected to the server at localhost. mumble-server-web I think is legacy and broken. It should likely be dropped. Its conf has legacy (pre apache 2.4) settings and also makes use of an alias cgi-bin/mumble-server which causes an error in /var/log/httpd/error_log.. [cgi:error] [pid 31906] [client 127.0.0.1:54896] AH02811: script not found or unable to stat: /var/www/cgi-bin/mumble-server ..probably due to existing cgi-bin alias pointing there. When altered to remove the cgi-bin portion from the alias in the conf it still doesn't work though, showing 404 object not found. Stopped digging there. I don't think there is currently any supported web admin for for mumble-server.
Installed Packages mumble.x86_64 1.3.2-1.mga7 @updates_testing-x86_64 mumble-plugins.x86_64 1.3.2-1.mga7 @updates_testing-x86_64 mumble-protocol-plasma5.x86_64 1.3.2-1.mga7 @updates_testing-x86_64 Available Packages mumble-server.x86_64 1.3.2-1.mga7 updates_testing-x86_64 mumble-server-web.x86_64 1.3.2-1.mga7 updates_testing-x86_64 I had mumble client installed by a previous test. Went through the configuration and had a voice chat from Brazil with someone from Germany. Everything ok, no regression found. Mumble server was never installed here, and I think it is out of scope for QA. So giving it's OK.
CC: (none) => bequimao.deWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1, but needs to be updated for the tested version.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0315.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #3) > openSUSE has issued an advisory for this on July 20: > https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00050.html > > It looks like you may want to update to 1.3.2, it fixes another bug. Apparently the 1.3.2 update is also related to CVE-2020-13962: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V3IZY7LKJ6NAXQDFYFR4S7L5BBHYK53K/ See also Bug 27218.