openSUSE has issued an advisory today (August 2): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UWUYL7FE7EBPBC7ZEMY2Q5OKW2V6KZ5F/ Fixes are available here: https://lore.kernel.org/connman/20220801080043.4861-5-wagi@monom.org/ https://lore.kernel.org/connman/20220801080043.4861-3-wagi@monom.org/ https://lore.kernel.org/connman/20220801080043.4861-1-wagi@monom.org/ and have been committed upstream: https://git.kernel.org/pub/scm/network/connman/connman.git Mageia 8 is also affected.
Status comment: (none) => Patches available from upstreamWhiteboard: (none) => MGA8TOO
Has been maintained by different people, so have to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292) In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32293 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UWUYL7FE7EBPBC7ZEMY2Q5OKW2V6KZ5F/ ======================== Updated packages in core/updates_testing: ======================== connman-1.38-2.3.mga8 connman-devel-1.38-2.3.mga8 from SRPM: connman-1.38-2.3.mga8.src.rpm
Status: NEW => ASSIGNEDStatus comment: Patches available from upstream => (none)Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2022-32292, CVE-2022-32293Whiteboard: MGA8TOO => (none)Source RPM: connman-1.40-3.mga9.src.rpm => connman-1.38-2.2.mga8.src.rpmCC: (none) => nicolas.salguero
MGA8-64 Plasma on Acer Aspire 5253 No installation issues, including econnman. Ref bug 29945 and 28321 for testing quit net-applet, got message that wifi was disconnected # systemctl start connman # systemctl status connman ● connman.service - Connection service Loaded: loaded (/usr/lib/systemd/system/connman.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-08-24 10:16:00 CEST; 21s ago Main PID: 10123 (connmand) Tasks: 1 (limit: 4364) Memory: 1.1M CPU: 187ms CGroup: /system.slice/connman.service └─10123 /usr/sbin/connmand -n Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: enp6s0 {newlink} index 2 address 1C:75:08:FA:94:52 mtu 1500 Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: enp6s0 {newlink} index 2 operstate 2 <DOWN> Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: Adding interface enp6s0 [ ethernet ] Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {create} index 3 type 1 <ETHER> Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {RX} 46584 packets 58975774 bytes Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {TX} 16977 packets 1912095 bytes Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {update} flags 36866 <DOWN> Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {newlink} index 3 address 90:00:4E:73:13:B3 mtu 1500 Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: wlp7s0 {newlink} index 3 operstate 2 <DOWN> Aug 24 10:16:01 mach7.hviaene.thuis connmand[10123]: Adding interface wlp7s0 [ wifi ] [root@mach7 ~]# connmanctl enable wifi Enabled wifi [root@mach7 ~]# connmanctl scan wifi Error /net/connman/technology/wifi: No carrier But I noticed that the wifi connection was up again. And # econnman-bin Traceback (most recent call last): File "/usr/bin/econnman-bin", line 1496, in <module> win = Window("econnman", ELM_WIN_BASIC) File "efl/elementary/window.pxi", line 45, in efl.elementary.__init__.Window.__init__ File "efl/elementary/object.pxi", line 111, in efl.elementary.__init__.Object._set_obj File "efl/evas/efl.evas_object.pxi", line 198, in efl.evas.Object._set_obj File "efl/eo/efl.eo.pyx", line 254, in efl.eo.Eo._set_obj AssertionError: Cannot set a NULL object I'm hopeless with this tool.......
CC: (none) => herman.viaene
No installation issues updating over the previous version. I have never had much success operating this, either. I attempted to run the same tests I used in Bug 29945 and bug 28321, with results the same as in the older one. The tool fails to connect to my wifi because of an input/output error with the passphrase. I don't recall what I did differently in bug 29945 to get it to connect. I'm giving it an OK based mostly on the clean installs, and the fact that I got as far as I did attempting to use it, without crashing it. If this is insufficient, I'm willing to try again, but I'll need some handholding to do it. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0319.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED