Fedora has issued an advisory on July 14: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html Patched package for Mageia 2 uploaded. Advisory: ======================== Updated links package fixes security vulnerability: Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator (CVE-2012-2385). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2385 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html ======================== Updated packages in core/updates_testing: ======================== mosh-1.1.3-1.1.mga2 from mosh-1.1.3-1.1.mga2.src.rpm
Testing complete on Mageia 2 i586. [dave@hodgins ~]$ mosh-server MOSH CONNECT 60001 D60DvN15FkpZa0FuxHagPA [dave@hodgins ~]$ mosh-server (mosh 1.1.3) Copyright 2012 Keith Winstein <mosh-devel@mit.edu> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [mosh-server detached, pid = 16557] [dave@hodgins ~]$ MOSH_KEY=D60DvN15FkpZa0FuxHagPA mosh-client 127.0.0.1 60001 Server now attached to client at 127.0.0.1:35002 Note the key and port copied from the output of the mosh server. Also, have to press enter after starting the server, to get a bash prompt. Press ctrl shift 6, then a period, to exit the client and close the server.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA2-32-OK
Testing complete x86_64 Validating Advisory and srpm in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => AllWhiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-OK
Reposting the advisory because of a copy-paste error. Advisory: ======================== Updated mosh package fixes security vulnerability: Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator (CVE-2012-2385). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2385 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html ======================== Updated packages in core/updates_testing: ======================== mosh-1.1.3-1.1.mga2 from mosh-1.1.3-1.1.mga2.src.rpm
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0182
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED