From the redhat bug linked to from URL: The Berkeley Open Infrastructure for Network Computing (BOINC) client software incorrectly checked the result after calling the RSA_public_decrypt function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on RSA keys used with SSL/TLS. We are WAY behind upstream, and they released an updated version. Can you give us a new shiny BOINC?
Adjusting severity, setting to B4
Ok guys, i would love to bump but they didnt create the new version, but i can patch the tree or actualy any of you can do it in meantime, i am without tree. so this changeset is this: http://boinc.berkeley.edu/trac/changeset/16883 just create patch and you will be fine i guess.
Is it possible to make this patch, thank you in advance.
Created attachment 182099 [details] RSA_Spoofing_Vulnerability.patch
Created attachment 182100 [details] New ebuild for boinc-6.4.5 with RSA patch
I created the patch and a new ebuilb to implement it, I tested it with me its working. Calculate it!
Revision bumped with applied patch. Removed afected version. So it is really just up to you Security guys :P
Thanks. I could have sworn that there was a stable boinc somewhere. But sources.g.o says otherwise. Rerating ~4, then. As there was no previous version stable, security won't call for stable markings. All users will get your update anyway (seeing that you removed all other versions). Either way, there's no glsa for this. Thanks for the swift reaction!
* Applying 6.4.5-RSA_security.patch ... * Failed Patch: 6.4.5-RSA_security.patch ! * ( /usr/portage/sci-misc/boinc/files/6.4.5-RSA_security.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
Created attachment 182292 [details] /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
Back to ebuild
I dont get it why it did this but now it should work ;]
(In reply to comment #10) > Created an attachment (id=182292) [edit] > /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out > I ran into this as well.
(In reply to comment #13) > (In reply to comment #10) > > Created an attachment (id=182292) [edit] > > /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out > > > I ran into this as well. > Wait for your mirror to catch up, and sync.
Still no GLSA needed.
Yes, it's working now after sync about two hours ago.