Bug 7062 - erlang missing update for security issue CVE-2011-0766
Summary: erlang missing update for security issue CVE-2011-0766
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/453728/
Whiteboard: MGA1-64-OK MGA1-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-08-14 22:26 CEST by David Walser
Modified: 2012-11-23 21:27 CET (History)
4 users (show)

See Also:
Source RPM: erlang-R14B-1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-14 22:26:36 CEST 
Fedora has issued an advisory on July 23, 2011:
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063218.html

Mageia 2 is not affected; it was fixed in R14B03.
David Walser 2012-09-08 16:00:29 CEST

CC: (none) => n54

Comment 1 Manuel Hiebel 2012-11-05 16:53:10 CET 
This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad
David Walser 2012-11-20 16:41:42 CET

Severity: normal => major

Comment 2 David Walser 2012-11-21 17:11:04 CET 
Updated package uploaded for Mageia 1.

Advisory:
========================

Updated erlang packages fix security vulnerability:

The random number generator in the Crypto application before 2.0.2.2, and
SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses
predictable seeds based on the current time, which makes it easier for remote
attackers to guess DSA host and SSH session keys (CVE-2011-0766).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0766
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063218.html
========================

Updated packages in core/updates_testing:
========================
erlang-stack-R14B03-1.mga1
erlang-base-R14B03-1.mga1
erlang-devel-R14B03-1.mga1
erlang-manpages-R14B03-1.mga1
erlang-appmon-R14B03-1.mga1
erlang-dialyzer-R14B03-1.mga1
erlang-diameter-R14B03-1.mga1
erlang-edoc-R14B03-1.mga1
erlang-emacs-R14B03-1.mga1
erlang-jinterface-R14B03-1.mga1
erlang-asn1-R14B03-1.mga1
erlang-common_test-R14B03-1.mga1
erlang-compiler-R14B03-1.mga1
erlang-cosEvent-R14B03-1.mga1
erlang-cosEventDomain-R14B03-1.mga1
erlang-cosFileTransfer-R14B03-1.mga1
erlang-cosNotification-R14B03-1.mga1
erlang-cosProperty-R14B03-1.mga1
erlang-cosTime-R14B03-1.mga1
erlang-cosTransactions-R14B03-1.mga1
erlang-crypto-R14B03-1.mga1
erlang-debugger-R14B03-1.mga1
erlang-docbuilder-R14B03-1.mga1
erlang-erl_docgen-R14B03-1.mga1
erlang-erl_interface-R14B03-1.mga1
erlang-et-R14B03-1.mga1
erlang-eunit-R14B03-1.mga1
erlang-gs-R14B03-1.mga1
erlang-hipe-R14B03-1.mga1
erlang-inviso-R14B03-1.mga1
erlang-ic-R14B03-1.mga1
erlang-inets-R14B03-1.mga1
erlang-megaco-R14B03-1.mga1
erlang-mnesia-R14B03-1.mga1
erlang-observer-R14B03-1.mga1
erlang-odbc-R14B03-1.mga1
erlang-orber-R14B03-1.mga1
erlang-os_mon-R14B03-1.mga1
erlang-otp_mibs-R14B03-1.mga1
erlang-parsetools-R14B03-1.mga1
erlang-percept-R14B03-1.mga1
erlang-pman-R14B03-1.mga1
erlang-public_key-R14B03-1.mga1
erlang-reltool-R14B03-1.mga1
erlang-runtime_tools-R14B03-1.mga1
erlang-snmp-R14B03-1.mga1
erlang-ssh-R14B03-1.mga1
erlang-ssl-R14B03-1.mga1
erlang-syntax_tools-R14B03-1.mga1
erlang-test_server-R14B03-1.mga1
erlang-toolbar-R14B03-1.mga1
erlang-tools-R14B03-1.mga1
erlang-typer-R14B03-1.mga1
erlang-tv-R14B03-1.mga1
erlang-webtool-R14B03-1.mga1
erlang-wx-R14B03-1.mga1
erlang-xmerl-R14B03-1.mga1

from erlang-R14B03-1.mga1.src.rpm

Assignee: fundawang => qa-bugs

Comment 3 Dave Hodgins 2012-11-22 01:11:29 CET 
Testing complete on Mageia 1 i586 and x86-64.

No poc, so just testing that the updates all install cleanly, and the
erl shell is working.

Could someone from the sysadmin team push the srpm
erlang-R14B03-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: pdated erlang packages fix security vulnerability:

The random number generator in the Crypto application before 2.0.2.2, and
SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses
predictable seeds based on the current time, which makes it easier for remote
attackers to guess DSA host and SSH session keys (CVE-2011-0766).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0766
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063218.html

https://bugs.mageia.org/show_bug.cgi?id=7062

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA1-64-OK MGA1-32-OK

Comment 4 Thomas Backlund 2012-11-23 21:27:30 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0338

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.