Re: GoAgent vulnerabilities: CA cert with known private key, TLS MITM

Posted by David Fifield on Nov 01

It appears that this problem is now fixed. The software now generates a
CA certificate with an unpredictable private key when run for the first
time. The fix is in the released version 3.2.1.

https://github.com/goagent/goagent/compare/0e2eb37c098b2a5653aac24a6256f0d262d2be47…77c8e7f131f9eb7d857cded9c0bc2f662e80b78a

I’ve updated the advisory page.

David Fifield

Fedora 20 Security Update: pidgin-2.10.10-1.fc20

Resolved Bugs
1155838 – CVE-2014-3698 CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 pidgin: various flaws [fedora-all]
1154908 – CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints
1154909 – CVE-2014-3695 pidgin: crash in MXit protocol plug-in
1154910 – CVE-2014-3696 pidgin: denial of service parsing Groupwise server message
1154911 – CVE-2014-3698 pidgin: remote information leak via crafted XMPP message<br
Update to 2.10.10
Security fix for CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3698

Fedora 19 Security Update: php-sabredav-Sabre_VObject-2.1.4-1.fc19,php-sabredav-Sabre_HTTP-1.7.11-1.fc19,php-sabredav-Sabre_CalDAV-1.7.9-1.fc19,php-sabredav-Sabre_DAVACL-1.7.9-1.fc19,php-sabredav-Sabre_CardDAV-1.7.9-2.fc19,php-sabredav-Sabre_DAV-1.7.13-1.fc19,owncloud-5.0.17-2.fc19

Resolved Bugs
1035593 – CVE-2013-6403 owncloud: possible security bypass on admin page (5.0.13) [fedora-all]<br
This update provides ownCloud 5.0.17, the latest release in the 5.x series, plus an extra security-related fix backported from the stable5 branch.
It also provides SabreDAV 1.7.13. This is also a major upgrade from SabreDAV 1.6, and has API incompatibilities. ownCloud is the only Fedora 19 package that requires SabreDAV, and ownCloud 5 cannot work with SabreDAV 1.6: the API-incompatible upgrade is unfortunate but necessary to provide a secure ownCloud release.
ownCloud 4.5, the current version in Fedora 19, is un-maintained, subject to known security issues, and has no upgrade path beyond ownCloud 5. Upgrading directly from 4.5 to the current version in Fedora 20 or 21 – ownCloud 7 – would likely fail.
I plan to update the package to 6.x before Fedora 19 goes EOL and maintain the 5.x and 6.x builds in a side repository to make sure there is a viable upgrade path from Fedora 19.
Initial testing on the 4.x -> 5.x upgrade has been performed, but please back up your user data, ownCloud configuration and ownCloud database before performing the upgrade. Please file negative karma and a bug report for any issues encountered during the upgrade. Ideally, the upgrade should run smoothly on first access to the updated ownCloud instance with no manual intervention required.

Fedora 19 Security Update: kernel-3.14.23-100.fc19

Resolved Bugs
1144883 – CVE-2014-3610 kernel: kvm: noncanonical MSR writes
1156543 – CVE-2014-3610 kernel: kvm: noncanonical MSR writes [fedora-all]
1156518 – CVE-2014-8369 kernel: kvm: excessive pages un-pinning in kvm_iommu_map error path
1144878 – CVE-2014-3611 kernel: kvm: PIT timer race condition
1156537 – CVE-2014-3611 kernel: kvm: PIT timer race condition [fedora-all]
1156522 – CVE-2014-8369 kernel: kvm: excessive pages un-pinning in kvm_iommu_map error path [fedora-all]
1144825 – CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled
1156534 – CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled [fedora-all]
1153322 – CVE-2014-3690 kernel: kvm: vmx: invalid host cr4 handling across vm entries
1155372 – CVE-2014-3690 kernel: kvm: vmx: invalid host cr4 handling across vm entries [fedora-all]
1155745 – CVE-2014-3688 kernel: net: sctp: remote memory pressure from excessive queueing
1155751 – CVE-2014-3688 kernel: net: sctp: remote memory pressure from excessive queueing [fedora-all]
1155731 – CVE-2014-3687 kernel: net: sctp: fix panic on duplicate ASCONF chunks
1155738 – CVE-2014-3687 kernel: net: sctp: fix panic on duplicate ASCONF chunks [fedora-all]
1147850 – CVE-2014-3673 kernel: sctp: skb_over_panic when receiving malformed ASCONF chunks
1155727 – CVE-2014-3673 kernel: sctp: skb_over_panic when receiving malformed ASCONF chunks [fedora-all]<br
The 3.14.23 stable update contains a number of important fixes across the tree.
Various security fixes for KVM and SCTP

Fedora 19 Security Update: php-ZendFramework2-2.2.8-2.fc19

Resolved Bugs
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
1151278 – php-ZendFramework2: various flaws [fedora-all]<br
# Security Fixes
– **ZF2014-05**: Due to an issue that existed in PHP’s LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use ZendLdap and are on an affected version of PHP, we recommend upgrading immediately.
– **ZF2014-06**: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.

Fedora 20 Security Update: mokutil-0.2.0-1.fc20,shim-signed-0.8-3

Resolved Bugs
1148230 – CVE-2014-3675 shim: out-of-bounds memory read flaw in DHCPv6 packet processing
1148231 – CVE-2014-3676 shim: heap-based buffer overflow flaw in IPv6 address parsing
1148232 – CVE-2014-3677 shim: memory corruption flaw when processing Machine Owner Keys (MOKs)<br
This update fixes CVEs CVE-2014-3675, CVE-2014-3676, and CVE-2014-3677, as well as moving to the 0.8 release, which adds support for Aarch64 and fixes several bugs.

Fedora 19 Security Update: mokutil-0.2.0-1.fc19,shim-signed-0.8-2

Resolved Bugs
1148230 – CVE-2014-3675 shim: out-of-bounds memory read flaw in DHCPv6 packet processing
1148231 – CVE-2014-3676 shim: heap-based buffer overflow flaw in IPv6 address parsing
1148232 – CVE-2014-3677 shim: memory corruption flaw when processing Machine Owner Keys (MOKs)<br
This update fixes CVEs CVE-2014-3675, CVE-2014-3676, and CVE-2014-3677, as well as moving to the 0.8 release, which adds support for Aarch64 and fixes several bugs.

Fedora 20 Security Update: fedup-0.9.0-1.fc20

Resolved Bugs
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability<br
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal

Fedora 20 Security Update: qemu-1.6.2-10.fc20

Resolved Bugs
1157647 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization [fedora-all]
1157641 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization
1153038 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions [fedora-all]
1153035 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions<br
* CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)
* CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)

Fedora 19 Security Update: fedup-0.9.0-1.fc19

Resolved Bugs
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability
1044987 – fedup-0.8.0-3.fc20.noarch exits if doulble ckicking on the window to max/min it
1045090 – [abrt] fedup: download.py:133:setup_repos:ValueError: need more than 1 value to unpack
1044083 – [abrt] fedup: commandline.py:197:device_setup:NameError: global name ‘message’ is not defined
1043981 – [abrt] fedup: fedup-cli:216:main:AttributeError: ‘ProblemSummary’ object has no attribute ‘format_details’
1047005 – [abrt] fedup: download.py:276:find_replacement:AttributeError: ‘NoneType’ object has no attribute ‘pkgtup'<br
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal
* Adds a warning for upgrades without a new kernel
* Fixes a bunch of crashes