https://bugs.mageia.org/show_bug.cgi?id=3956

Manuel Hiebel <manuel-XA19kHydqdCHXe+***@public.gmane.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |balcaen.john-***@public.gmane.org,
| |cjw-CllfUmslCRwdbCeoMzGj59i2O/***@public.gmane.org,
| |dmorganec-***@public.gmane.org,
| |mageia-RZzICDNEOQ/***@public.gmane.org,
| |olav-fqrEp33cg0Xz+***@public.gmane.org

--- Comment #1 from Manuel Hiebel <manuel-XA19kHydqdCHXe+***@public.gmane.org> 2011-12-31 00:08:55 CET ---
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

https://bugs.mageia.org/show_bug.cgi?id=3956

D Morgan <dmorganec-***@public.gmane.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|bugsquad-odJJhXpcy38dnm+***@public.gmane.org |qa-bugs-***@public.gmane.org

--- Comment #2 from D Morgan <dmorganec-***@public.gmane.org> 2011-12-31 02:42:27 CET ---
Please test networkmanager from updates_testing

https://bugs.mageia.org/show_bug.cgi?id=3956

Manuel Hiebel <manuel-XA19kHydqdCHXe+***@public.gmane.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC|balcaen.john-***@public.gmane.org, |
|cjw-CllfUmslCRwdbCeoMzGj59i2O/***@public.gmane.org, |
|mageia-RZzICDNEOQ/***@public.gmane.org, |
|olav-fqrEp33cg0Xz+***@public.gmane.org |

--- Comment #3 from Manuel Hiebel <manuel-XA19kHydqdCHXe+***@public.gmane.org> 2012-01-09 16:03:15 CET ---
Networkmanager (with networkmanager-applet) is working for me on x86_64.

https://bugs.mageia.org/show_bug.cgi?id=3956

Dave Hodgins <davidwhodgins-***@public.gmane.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |davidwhodgins-***@public.gmane.org

--- Comment #4 from Dave Hodgins <davidwhodgins-***@public.gmane.org> 2012-01-16 23:18:59 CET ---
Testing complete on i586.

Before validating the update though, the Mandriva advisory indicates
networkmanager-applet, networkmanager-openconnect,
networkmanager-openvpn, networkmanager-pptp, networkmanager-vpnc
are also provided with their latest 0.8.6.0 stable versions.

Will we be including those packages?

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #5 from David Walser <luigiwalser-/***@public.gmane.org> 2012-01-16 23:33:07 CET ---
(In reply to comment #4)
Good catch! Sorry this was missed earlier. D Morgan, could you build these
too?

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #6 from D Morgan <dmorganec-***@public.gmane.org> 2012-01-18 02:00:07 CET ---
all pushed

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #7 from Dave Hodgins <davidwhodgins-***@public.gmane.org> 2012-01-22 22:09:14 CET ---
I'm having trouble figuring out how to test the additional packages, so
I've posted a request for help in the testing to the general discuss
mailing list.

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #8 from claire robinson <eeeemail-***@public.gmane.org> 2012-01-24 16:19:53 CET ---
PPTP is unsupported IIRC due to missing support in pppd. I think the only VPN
we managed to test previously was openvpn.

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #9 from claire robinson <eeeemail-***@public.gmane.org> 2012-01-24 17:33:49 CET ---
* missing MPPE support

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #10 from Dave Hodgins <davidwhodgins-***@public.gmane.org> 2012-01-28 04:37:54 CET ---
I think we should go ahead and push the update, rather than hold it for
vpn testing. Opinions?

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #11 from David Walser <luigiwalser-/***@public.gmane.org> 2012-01-28 06:41:04 CET ---
I agree, but it's QA team decision of course. Here's the advisory.

Advisory:
========================

Updated networkmanager packages fix security vulnerabilities:

GNOME NetworkManager before 0.8.6 does not properly enforce the
auth_admin element in PolicyKit, which allows local users to bypass
intended wireless network sharing restrictions via unspecified vectors
(CVE-2011-2176).

Incomplete blacklist vulnerability in the svEscape function in
settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME
NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when
PolicyKit is configured to allow users to create new connections,
allows local users to execute arbitrary commands via a newline
character in the name for a new network connection, which is not
properly handled when writing to the ifcfg file (CVE-2011-3364).

This updates NetworkManager to 0.8.6.0 to fix these issues and
allow upgrading from Mandriva 2010.2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3364
http://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?h=NM_0_8
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:171
========================

Updated packages in core/updates_testing:
========================
libnm-glib-devel-0.8.6.0-0.1.mga1
libnm-glib-vpn-devel-0.8.6.0-0.1.mga1
libnm-glib-vpn1-0.8.6.0-0.1.mga1
libnm-glib2-0.8.6.0-0.1.mga1
libnm-util-devel-0.8.6.0-0.1.mga1
libnm-util1-0.8.6.0-0.1.mga1.i586.rpm
networkmanager-0.8.6.0-0.1.mga1
networkmanager-applet-0.8.6.0-1.1.mga1
networkmanager-openconnect-0.8.6.0-1.1.mga1
networkmanager-openvpn-0.8.6.0-1.1.mga1
networkmanager-pptp-0.8.6.0-1.mga1
networkmanager-vpnc-0.8.6.0-1.1.mga1

from SRPMS:
networkmanager-0.8.6.0-0.1.mga1.src.rpm
networkmanager-applet-0.8.6.0-1.1.mga1.src.rpm
networkmanager-openconnect-0.8.6.0-1.1.mga1.src.rpm
networkmanager-openvpn-0.8.6.0-1.1.mga1.src.rpm
networkmanager-pptp-0.8.6.0-1.mga1.src.rpm
networkmanager-vpnc-0.8.6.0-1.1.mga1.src.rpm

https://bugs.mageia.org/show_bug.cgi?id=3956

Dave Hodgins <davidwhodgins-***@public.gmane.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |validated_update
CC| |sysadmin-bugs-***@public.gmane.org

--- Comment #12 from Dave Hodgins <davidwhodgins-***@public.gmane.org> 2012-01-28 09:46:21 CET ---
Validating the update.

Could someone from the sysadmin team pus the srpms
networkmanager-0.8.6.0-0.1.mga1.src.rpm
networkmanager-applet-0.8.6.0-1.1.mga1.src.rpm
networkmanager-openconnect-0.8.6.0-1.1.mga1.src.rpm
networkmanager-openvpn-0.8.6.0-1.1.mga1.src.rpm
networkmanager-pptp-0.8.6.0-1.mga1.src.rpm
networkmanager-vpnc-0.8.6.0-1.1.mga1.src.rpm
from Core Updates Testins to Core Updates.

Advisory: This security updated for networkmanager corrects the
following security vulnerabilities:

GNOME NetworkManager before 0.8.6 does not properly enforce the
auth_admin element in PolicyKit, which allows local users to bypass
intended wireless network sharing restrictions via unspecified vectors
(CVE-2011-2176).

Incomplete blacklist vulnerability in the svEscape function in
settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME
NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when
PolicyKit is configured to allow users to create new connections,
allows local users to execute arbitrary commands via a newline
character in the name for a new network connection, which is not
properly handled when writing to the ifcfg file (CVE-2011-3364).

This updates NetworkManager to 0.8.6.0 to fix these issues and
allow upgrading from Mandriva 2010.2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3364
http://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?h=NM_0_8
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:171

https://bugs.mageia.org/show_bug.cgi?id=3956

https://bugs.mageia.org/show_bug.cgi?id=3956

--- Comment #13 from Dave Hodgins <davidwhodgins-***@public.gmane.org> 2012-01-28 09:47:34 CET ---
s /updated/update/