That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/10/25/1
CVE: (none) => CVE-2024-9050Whiteboard: (none) => MGA9TOOSource RPM: (none) => networkmanager-libreswan-1.2.16-2.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.2.24
Note 'Status comment'. No current maintainer, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration. (CVE-2024-9050) References: https://www.openwall.com/lists/oss-security/2024/10/25/1 ======================== Updated package in core/updates_testing: ======================== networkmanager-libreswan-1.2.24-1.mga9 from SRPM: networkmanager-libreswan-1.2.24-1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: Fixed upstream in 1.2.24 => (none)
Keywords: (none) => advisory
MGA9-64 Plasma. I use Network Manager, but I do not use a libreswan VPN. My VPNs use openvpn. However, networkmanager-libswan is installed with other Network Manager VPN plugins as a dependency. No installation issues. Using Plasma's system settings/Connections, I was able to start to add a libreswan VPN connection to the existing list, which brought up the configuration gui. I checked the different tabs, and they were OK, but since I do not have the necessary information, I was, of course, unable to actually set up the VPN. I backed out. The update doesn't seem to affect my normal use of Network Manager in any way. Previous updates involving libreswan were approved based on a clean install, and I don't see any reason why this one should be different. Validating.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
This package was pushed today but for some reason this bug wasn't automatically closed.
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVEDCC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0356.html