Mageia 2020-0315: mumble security update | LinuxSecurity.com

Advisories

MGASA-2020-0315 - Updated mumble packages fix security vulnerability

Publication date: 16 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0315.html
Type: security
Affected Mageia releases: 7

Updated mumble package fixes security vulnerability:


OCB2 is known to be broken under certain conditions:
https://eprint.iacr.org/2019/311

To execute the universal attacks described in the paper, an attacker
needs access to an encryption oracle that allows it to perform encryption
queries with attacker-chosen nonce. Luckily in Mumble the encryption nonce
is a fixed counter which is far too restrictive for the universal attacks
to be feasible against Mumble.

The basic attacks do not require an attacker-chosen nonce and as such are
more applicable to Mumble. They are however of limited use and do require
an en- and a decryption oracle which Mumble seemingly does not provide at
the same time.

To be on the safe side, this commit implements the counter-cryptanalysis
measure described in the paper in section 9 for the sender and receiver side.
This way if either server of client are patched, their communication is almost
certainly (merely lacking formal proof) not susceptible to the attacks described
in the paper.


Fixed: Potential exploit in the OCB2 encryption (#4227)

References:
- https://bugs.mageia.org/show_bug.cgi?id=26746
- https://github.com/mumble-voip/mumble/issues/4219
- https://github.com/mumble-voip/mumble/pull/4227

SRPMS:
- 7/core/mumble-1.3.2-1.mga7

Mageia 2020-0315: mumble security update

Summary

References

- https://bugs.mageia.org/show_bug.cgi?id=26746

- https://github.com/mumble-voip/mumble/issues/4219

- https://github.com/mumble-voip/mumble/pull/4227

Resolution

MGASA-2020-0315 - Updated mumble packages fix security vulnerability

SRPMS

- 7/core/mumble-1.3.2-1.mga7

Severity
Publication date: 16 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0315.html
Type: security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.