29193 – quassel new security issue CVE-2021-34825

Bug 29193 - quassel new security issue CVE-2021-34825

Summary: quassel new security issue CVE-2021-34825

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-06-30 18:45 CEST by David Walser
Modified:	2021-07-27 22:23 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	quassel-0.13.1-6.mga8.src.rpm
CVE:	CVE-2021-34825
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-06-30 18:45:35 CEST

Fedora has issued an advisory on June 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-06-30 18:46:04 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from Fedora

Comment 1 David Walser 2021-07-01 19:00:48 CEST

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 2 David Walser 2021-07-25 22:42:33 CEST

Advisory:
========================

Updated quassel packages fix security vulnerability:

Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or
TLS support if a usable X.509 certificate is not found on the local system
(CVE-2021-34825).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34825
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/
========================

Updated packages in core/updates_testing:
========================
quassel-0.13.1-6.1.mga8
quassel-client-0.13.1-6.1.mga8
quassel-core-0.13.1-6.1.mga8
quassel-common-0.13.1-6.1.mga8

from quassel-0.13.1-6.1.mga8.src.rpm

Status comment: Patch available from Fedora => (none)
Assignee: kde => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2021-07-26 16:03:44 CEST

Advisory:
========================

Updated quassel packages fix security vulnerability:

Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or
TLS support if a usable X.509 certificate is not found on the local system
(CVE-2021-34825).

Also, the default IRC server has been changed from Freenode to Libera Chat, as
upstream has moved their #quassel channel there.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34825
https://quassel-irc.org/node/136
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/
========================

Updated packages in core/updates_testing:
========================
quassel-0.13.1-6.2.mga8
quassel-client-0.13.1-6.2.mga8
quassel-core-0.13.1-6.2.mga8
quassel-common-0.13.1-6.2.mga8

from quassel-0.13.1-6.2.mga8.src.rpm

Comment 4 Herman Viaene 2021-07-27 15:02:40 CEST

Strange, my test on the 6.1 text has disappeared.
Anyway, logged in to #mag-qa and could post, jybz answered, tx.
OK or me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Aurelien Oudelet 2021-07-27 21:00:45 CEST

Validating.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-34825
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 Mageia Robot 2021-07-27 22:23:40 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0382.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.