Bug 6908 - icecast missing update for CVE-2011-4612
Summary: icecast missing update for CVE-2011-4612
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/485945/
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-07-31 00:07 CEST by David Walser
Modified: 2012-08-12 21:06 CEST (History)
6 users (show)

See Also:
Source RPM: icecast-2.3.2-3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-07-31 00:07:15 CEST 
OpenSuSE issued an advisory on March 10:
http://lists.opensuse.org/opensuse-updates/2012-03/msg00017.html

Mageia 1 and Mageia 2 are also affected.
David Walser 2012-07-31 00:07:27 CEST

CC: (none) => nanardon

Remco Rijnders 2012-08-03 07:53:43 CEST

CC: (none) => remco

Comment 1 David Walser 2012-08-08 19:04:13 CEST 
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated icecast package fixes security vulnerability:

Icecast didn't strip newlines from log entries, therefore allowing users
to forge log entries (CVE-2011-4612).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4612
http://lists.opensuse.org/opensuse-updates/2012-03/msg00017.html
========================

Updated packages in core/updates_testing:
========================
icecast-2.3.2-3.1.mga1
icecast-2.3.2-3.1.mga2

from SRPMS:
icecast-2.3.2-3.1.mga1.src.rpm
icecast-2.3.2-3.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA1TOO

Comment 2 user7 2012-08-08 19:15:29 CEST 
A PoC can be found on Novell's bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=737255

CC: (none) => wassi

Comment 3 Dave Hodgins 2012-08-08 23:09:20 CEST 
Testing complete on Mageia 1 i586.

I'll test Mageia 1 x86-64 shortly.

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2012-08-08 23:17:19 CEST 
Testing complete on Mageia 1 x86-64.

Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK MGA1-64-OK

Comment 5 Dave Hodgins 2012-08-08 23:24:12 CEST 
Testing complete on Mageia 2 i586.  I'll test x86-64 shortly.

Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK

Comment 6 Dave Hodgins 2012-08-08 23:35:30 CEST 
Testing complete on Mageia 2 x86-64

Could someone from the sysadmin team push the srpm
icecast-2.3.2-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
icecast-2.3.2-3.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated icecast package fixes security vulnerability:

Icecast didn't strip newlines from log entries, therefore allowing users
to forge log entries (CVE-2011-4612).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4612
http://lists.opensuse.org/opensuse-updates/2012-03/msg00017.html

https://bugs.mageia.org/show_bug.cgi?id=6908

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK

Comment 7 Thomas Backlund 2012-08-12 21:06:17 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0211

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.