Bug 9931 - telepathy-idle new security issue CVE-2007-6746
: telepathy-idle new security issue CVE-2007-6746
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/549233/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-30 15:51 CEST by David Walser
Modified: 2013-05-10 20:26 CEST (History)
2 users (show)

See Also:
Source RPM: telepathy-idle-0.1.11-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-30 15:51:36 CEST
Upstream has released telepathy-idle 0.1.15 on April 24:
http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html

The issue is that it doesn't validate SSL certificates when connecting to an IRC server with SSL.

Freeze push requested for 0.1.15 in Cauldron.

Updated package uploaded for Mageia 2.

Note to QA: You can test telepathy-idle with an IRC account in empathy.  Using SSL, it should only connect if the SSL certificate is trusted by the system CA certs.

Advisory:
========================

Updated telepathy-idle package fixes security vulnerability:

In versions prior to 0.1.15, telepathy-idle does not check the server's
SSL/TLS certificate for validity. A network intermediary could use this
flaw to carry out man-in-the-middle attacks on IRC users (CVE-2007-6746).

The telepathy-idle package has been updated to version to 0.1.15 to fix
this issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6746
http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html
https://bugs.freedesktop.org/show_bug.cgi?id=63810
http://lists.freedesktop.org/archives/telepathy/2012-November/006304.html
http://lists.freedesktop.org/archives/telepathy/2012-November/006303.html
http://lists.freedesktop.org/archives/telepathy/2012-August/006220.html
========================

Updated packages in core/updates_testing:
========================
telepathy-idle-0.1.15-1.mga2

from telepathy-idle-0.1.15-1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-30 18:59:46 CEST
telepathy-idle-0.1.15-1.mga3 is uploaded in Cauldron.
Comment 2 David Walser 2013-05-03 18:02:44 CEST
Fedora has issued an advisory for this:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104397.html
Comment 3 David Walser 2013-05-05 01:34:07 CEST
telepathy-idle 0.1.16 was released to fix some regressions and shortcomings (such as not working with self-signed-certs) in 0.1.15:
http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html

I had to patch it to build with telepathy-glib 0.18.x in Mageia 2, due to a header reorganization in telepathy-glib 0.20.x, but that was pretty easy.  I reported this upstream.

telepathy-idle 0.1.16 uploaded for Mageia 2 and Cauldron.

Addendum to previous note to QA: It sounds like they've added the ability to interactively verify whether or not to allow untrusted certificates.

Advisory:
========================

Updated telepathy-idle package fixes security vulnerability:

In versions prior to 0.1.15, telepathy-idle does not check the server's
SSL/TLS certificate for validity. A network intermediary could use this
flaw to carry out man-in-the-middle attacks on IRC users (CVE-2007-6746).

The telepathy-idle package has been updated to version to 0.1.16 to fix
this issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6746
http://lists.freedesktop.org/archives/telepathy/2013-May/006434.html
http://lists.freedesktop.org/archives/telepathy/2013-April/006431.html
https://bugs.freedesktop.org/show_bug.cgi?id=63810
http://lists.freedesktop.org/archives/telepathy/2012-November/006304.html
http://lists.freedesktop.org/archives/telepathy/2012-November/006303.html
http://lists.freedesktop.org/archives/telepathy/2012-August/006220.html
========================

Updated packages in core/updates_testing:
========================
telepathy-idle-0.1.16-1.mga2

from telepathy-idle-0.1.16-1.mga2.src.rpm
Comment 4 claire robinson 2013-05-07 14:50:40 CEST
Testing complete mga2 64

Now gives certificate warning for self-signed connections.
Comment 5 claire robinson 2013-05-10 13:33:52 CEST
Testing complete mga2 32

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 6 Thomas Backlund 2013-05-10 20:26:34 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0144

Note You need to log in before you can comment on or make changes to this bug.