Bug 908 - [TRACKER] rollup bug for security related issues blocking release of Mageia 1
Summary: [TRACKER] rollup bug for security related issues blocking release of Mageia 1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker critical
Target Milestone: Mageia 1
Assignee: Stew Benedict
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 895 989 1115 1116 1117 1121 1142 1149 1150 1165 1232 1280 1281 1298 1299 1300
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-20 21:24 CEST by Stew Benedict
Modified: 2011-05-23 18:53 CEST (History)
4 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Stew Benedict 2011-04-20 21:24:56 CEST
This is a rollup bug for security related issues that need to be addressed before final release. Use this bug # for "blocks" on individual bugs feeding into this.
Stew Benedict 2011-04-20 21:25:48 CEST

Priority: Normal => release_blocker
Status: NEW => ASSIGNED
Assignee: bugsquad => stewbintn
Target Milestone: --- => Mageia 1

Stew Benedict 2011-04-20 21:26:35 CEST

Severity: normal => critical

John Balcaen 2011-04-20 21:34:55 CEST

CC: (none) => balcaen.john

Stew Benedict 2011-04-20 23:33:37 CEST

Priority: release_blocker => High

Stew Benedict 2011-04-25 17:35:03 CEST

Depends on: (none) => 989

Comment 1 Anne Nicolas 2011-04-25 21:34:14 CEST
updating as blocker, we will close it before final release

Priority: High => release_blocker
Status: ASSIGNED => NEW
CC: (none) => ennael1

Nicolas Vigier 2011-04-26 20:09:17 CEST

Depends on: (none) => 895

Comment 2 Stew Benedict 2011-04-29 21:55:32 CEST
Sigh, I don't seem to even have time this week to open bug reports, but I've seen other vendor's reports go by on rsync, kerberos, php, fail2ban, mount, qemu-kvm, and the kernel. (osvdb mailer or oss-security list).

Status: NEW => ASSIGNED

Comment 3 Michael Scherer 2011-05-03 03:23:23 CEST
Rsync is ok ( CVE-2011-1097 ), we have rsync 3.0.8. 

Kerberos is CVE-2011-0285, not patched.

Qemu-kvm is CVE-2011-0011 CVE-2011-1750 , not patched. For the vnc issue ( CVE-2011-0011 ), the code changed in qemu 0.14 so I think we are covered ( http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commitdiff;h=1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b
), for the other one, I patched the code and submitted.

I didn't found fail2ban problem ( I didn't searched much besides mdv and debian advisory )

For php, well, I would not even start to look at it. 

For mount, I didn't found much ( again, didn't look in detail ).

CC: (none) => misc

Comment 4 Stew Benedict 2011-05-03 12:47:44 CEST
Here's some more info on fail2ban:

References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544232
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=700763
> 
> Patch applied by Debian distribution:
> [3] http://git.onerussian.com/?p=deb/fail2ban.git;a=commitdiff;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b

CVE-2009-5023

Mount is issues with suid helpers (extract from oss-security):

CVE-2011-1675 - CVE-2011-1681 based on your list here:
http://thread.gmane.org/gmane.comp.security.oss.general/4374/focus=4516

CVE-2011-1089 for similar nfs-utils:
http://thread.gmane.org/gmane.comp.security.oss.general/4954

php is the usual fun, Ubuntu has issued an update for several CVE's:

http://www.ubuntu.com/usn/usn-1126-1/
Comment 5 Stew Benedict 2011-05-03 13:41:44 CEST
May also be a gstreamer issue (from RH advisory):

An integer overflow flaw, leading to a heap-based buffer overflow, and a
stack-based buffer overflow flaw were found in various ModPlug music file
format library (libmodplug) modules, embedded in GStreamer. An attacker
could create specially-crafted music files that, when played by a victim,
would cause applications using GStreamer to crash or, potentially, execute
arbitrary code. (CVE-2006-4192, CVE-2011-1574)

All users of gstreamer-plugins are advised to upgrade to these updated
packages, which contain backported patches to correct these issues. After
installing the update, all applications using GStreamer (such as Rhythmbox)
must be restarted for the changes to take effect.
Comment 6 Jérôme Soyer 2011-05-03 14:13:29 CEST
Vino package have two CVE (CVE-2011-0904, CVE-2011-0905) which is not included, see USN-1128-1 for more information.

I will patch vino and push it.

CC: (none) => saispo

Michael Scherer 2011-05-03 14:16:52 CEST

Depends on: (none) => 1115

Michael Scherer 2011-05-03 14:19:00 CEST

Depends on: (none) => 1116

Michael Scherer 2011-05-03 14:22:02 CEST

Depends on: (none) => 1117

John Balcaen 2011-05-03 18:42:43 CEST

Depends on: (none) => 1121

Comment 7 Jérôme Soyer 2011-05-04 15:13:56 CEST
I fixed fail2ban too, but same as Michael said i didn't found some patch or more information about mount and nfs-utils.
Ahmad Samir 2011-05-05 01:02:44 CEST

Blocks: (none) => 1142

Jérôme Soyer 2011-05-05 10:05:40 CEST

Blocks: (none) => 1150

Jérôme Soyer 2011-05-05 10:38:43 CEST

Blocks: (none) => 1149

Michael Scherer 2011-05-05 15:40:38 CEST

Blocks: 1142 => (none)
Depends on: (none) => 1142

Michael Scherer 2011-05-05 15:40:49 CEST

Blocks: 1149 => (none)
Depends on: (none) => 1149

Michael Scherer 2011-05-05 15:40:57 CEST

Blocks: 1150 => (none)
Depends on: (none) => 1150

Michael Scherer 2011-05-05 15:45:35 CEST

Depends on: (none) => 1157

Stew Benedict 2011-05-05 21:57:17 CEST

Depends on: (none) => 1165

Jérôme Soyer 2011-05-10 20:13:54 CEST

Blocks: (none) => 1232

Michael Scherer 2011-05-15 02:15:03 CEST

Depends on: (none) => 1280

Michael Scherer 2011-05-15 02:19:54 CEST

Depends on: (none) => 1281

Michael Scherer 2011-05-15 02:22:11 CEST

Blocks: 1232 => (none)
Depends on: (none) => 1232

Michael Scherer 2011-05-16 09:38:45 CEST

Depends on: (none) => 1298

Michael Scherer 2011-05-16 09:46:33 CEST

Depends on: (none) => 1299

Michael Scherer 2011-05-16 09:50:45 CEST

Depends on: (none) => 1300

Comment 8 Anne Nicolas 2011-05-23 13:58:41 CEST
Please do not add new bugs there as we are now working on releasing final release
Anne Nicolas 2011-05-23 18:52:17 CEST

Depends on: 1157 => (none)

Comment 9 Anne Nicolas 2011-05-23 18:53:15 CEST
Closing now as we won't add any new security updates before stable release

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.