Bug 26746 - MUMBLE : New version 1.3.1 with fix Potential exploit
Summary: MUMBLE : New version 1.3.1 with fix Potential exploit
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.mumble.info/blog/mumble-1...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-06-08 22:29 CEST by Arnaud Vacquier
Modified: 2020-10-13 20:31 CEST (History)
6 users (show)

See Also:
Source RPM: mumble-1.3.0-1.mga7.x86_64.rpm
Status comment:


Description Arnaud Vacquier 2020-06-08 22:29:37 CEST
Description of problem:
New version is out 1.3.1 with fix Potential exploit
Fixed: Potential exploit in the OCB2 encryption (#4227)

changelog :

Archive :
Arnaud Vacquier 2020-06-08 22:30:22 CEST

Source RPM: (none) => mumble-1.3.0-1.mga7.x86_64.rpm

Comment 1 David GEIGER 2020-06-09 07:37:15 CEST
Assigning to QA,


Updated mumble package fixes security vulnerability:

OCB2 is known to be broken under certain conditions:

To execute the universal attacks described in the paper, an attacker needs
access to an encryption oracle that allows it to perform encryption queries with
attacker-chosen nonce. Luckily in Mumble the encryption nonce is a fixed counter
which is far too restrictive for the universal attacks to be feasible against

The basic attacks do not require an attacker-chosen nonce and as such are more
applicable to Mumble. They are however of limited use and do require an en- and
a decryption oracle which Mumble seemingly does not provide at the same time.

To be on the safe side, this commit implements the counter-cryptanalysis
measure described in the paper in section 9 for the sender and receiver side.
This way if either server of client are patched, their communication is almost
certainly (merely lacking formal proof) not susceptible to the attacks described
in the paper.

Fixed: Potential exploit in the OCB2 encryption (#4227)



Packages in 7/core/updates_testing:


Source RPM: 

CC: (none) => geiger.david68210
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2020-06-20 14:46:40 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Trying to find info in older updates.
ref bug 6511
# systemctl restart httpd

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 14:25:39 CEST; 12s ago
 Main PID: 17266 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 27 (limit: 4915)
   Memory: 34.5M
   CGroup: /system.slice/httpd.service
           ├─17266 /usr/sbin/httpd -DFOREGROUND
           ├─17269 /usr/sbin/httpd -DFOREGROUND
           ├─17270 /usr/sbin/httpd -DFOREGROUND
           ├─17272 /usr/sbin/httpd -DFOREGROUND
           ├─17280 /usr/sbin/httpd -DFOREGROUND
           ├─17285 /usr/sbin/httpd -DFOREGROUND
           └─17290 /usr/sbin/httpd -DFOREGROUND

Jun 20 14:25:38 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Jun 20 14:25:39 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

# systemctl start mumble-server

# systemctl -l status mumble-server
● mumble-server.service - LSB: Mumble VoIP Server
   Loaded: loaded (/etc/rc.d/init.d/mumble-server; generated)
   Active: active (running) since Sat 2020-06-20 14:26:25 CEST; 28s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 20071 ExecStart=/etc/rc.d/init.d/mumble-server start (code=exited, status=0/SUCCESS)
    Tasks: 7 (limit: 4915)
   Memory: 11.2M
   CGroup: /system.slice/mumble-server.service
           └─20087 /usr/sbin/murmurd -ini /etc/mumble-server.ini

Jun 20 14:26:23 mach5.hviaene.thuis systemd[1]: Starting LSB: Mumble VoIP Server...
Jun 20 14:26:23 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session opened for user mumble-server by (uid=0)
Jun 20 14:26:25 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session closed for user mumble-server
Jun 20 14:26:25 mach5.hviaene.thuis mumble-server[20071]: Starting mumble-server: [  OK  ]
Jun 20 14:26:25 mach5.hviaene.thuis systemd[1]: Started LSB: Mumble VoIP Server.

Did the updates in /etc/mumble-server.ini and then tried to connect
Yahoo Logo
Will be right back...

Thank you for your patience.

Our engineers are working quickly to resolve the issue.

http://localhost/cgi-bin/mumble-server/weblist.cgi (or https for that matter) gives
Object not found!

The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.

If you think this is a server error, please contact the webmaster.
Error 404

CC: (none) => herman.viaene

Comment 3 David Walser 2020-07-21 18:28:06 CEST
openSUSE has issued an advisory for this on July 20:

It looks like you may want to update to 1.3.2, it fixes another bug.

Keywords: (none) => feedback
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 4 David GEIGER 2020-07-23 07:32:20 CEST

Packages in 7/core/updates_testing:


Source RPM: 
David Walser 2020-07-23 14:06:06 CEST

Keywords: feedback => (none)

Comment 5 Herman Viaene 2020-07-25 14:38:35 CEST
Installed 1.3.2-1, and got the same result as in Comment 2.
Checked the configuration files, and got the impression from /etc/mumble-server.ini, that this thingy needs sqlite up and running.
Someone with more knowledge can check this, please???
Comment 6 claire robinson 2020-07-29 15:05:30 CEST
Mga7 64

Mumble & mumble-server tested ok. Installed both and connected to the server at localhost.

mumble-server-web I think is legacy and broken. It should likely be dropped. Its conf has legacy (pre apache 2.4) settings and also makes use of an alias cgi-bin/mumble-server which causes an error in /var/log/httpd/error_log..

[cgi:error] [pid 31906] [client] AH02811: script not found or unable to stat: /var/www/cgi-bin/mumble-server

..probably due to existing cgi-bin alias pointing there.

When altered to remove the cgi-bin portion from the alias in the conf it still doesn't work though, showing 404 object not found. Stopped digging there.

I don't think there is currently any supported web admin for for mumble-server.
Comment 7 Ulrich Beckmann 2020-08-02 15:33:32 CEST
Installed Packages
mumble.x86_64                                                                      1.3.2-1.mga7                                                      @updates_testing-x86_64
mumble-plugins.x86_64                                                              1.3.2-1.mga7                                                      @updates_testing-x86_64
mumble-protocol-plasma5.x86_64                                                     1.3.2-1.mga7                                                      @updates_testing-x86_64
Available Packages
mumble-server.x86_64                                                               1.3.2-1.mga7                                                      updates_testing-x86_64
mumble-server-web.x86_64                                                           1.3.2-1.mga7                                                      updates_testing-x86_64

I had mumble client installed by a previous test. Went through the configuration and had a voice chat from Brazil with someone from Germany. Everything ok, no regression found. Mumble server was never installed here, and I think it is out of scope for QA. So giving it's OK.

CC: (none) => bequimao.de
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2020-08-03 14:35:44 CEST
Validating. Advisory in Comment 1, but needs to be updated for the tested version.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-08-16 12:32:29 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-08-16 14:07:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 David Walser 2020-10-13 20:31:52 CEST
(In reply to David Walser from comment #3)
> openSUSE has issued an advisory for this on July 20:
> https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00050.html
> It looks like you may want to update to 1.3.2, it fixes another bug.

Apparently the 1.3.2 update is also related to CVE-2020-13962:

See also Bug 27218.

Note You need to log in before you can comment on or make changes to this bug.