[SECURITY] Fedora 14 Update: NetworkManager-0.8.4-2.git20110622.fc14

updates at fedoraproject.org updates at fedoraproject.org
Fri Aug 12 18:23:49 UTC 2011


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8612
2011-06-24 02:46:23
--------------------------------------------------------------------------------

Name        : NetworkManager
Product     : Fedora 14
Version     : 0.8.4
Release     : 2.git20110622.fc14
URL         : http://www.gnome.org/projects/NetworkManager/
Summary     : Network connection manager and user applications
Description :
NetworkManager is a system network service that manages your network devices
and connections, attempting to keep active network connectivity when available.
It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE devices, and
provides VPN integration with a variety of different VPN services.

--------------------------------------------------------------------------------
Update Information:

This update fixes the security issue for creating shared WiFi networks.
It's been tracked by #709662 - CVE-2011-2176.

Before this update, NetworkManager didn't respect PolicyKit policies for
creating shared WiFi networks: actions org.freedesktop.network-manager-settings.system.wifi.share.open
and org.freedesktop.network-manager-settings.system.wifi.share.protected in
/usr/share/polkit-1/actions/org.freedesktop.network-manager-settings.system.policy file.
Thus, users could create shared WiFi networks even if it was disabled via the PolicyKit setting.
This update fixes this issue. Be aware, that the default policies still allow creating shared WiFi
networks. You should modify <allow_active>yes</allow_active> to <allow_active>auth_admin</allow_active>
if you require authorization with root password, or to <allow_active>no</allow_active> to disallow
creating the networks altogether through the above PolicyKit actions.

In addition, this update fixes other bugs by updating NetworkManager to git snaphot as of 2011-06-22.
- core: fix up checks for s390 CTC device type (bgo #649025)
- core: recognize platform 'gadget' devices
- core: only send hostname without domain as host-name option (rh #694758)
- core: clear 'invalid' connection tag when cable is re-plugged
- core: fix crash requesting system VPN secrets (bgo #651710)
- core: add MAC address blacklisting feature for WiFi and ethernet connections
- core: allow _ as a valid character for GSM APNs
- wifi: always fix up Ad-Hoc frequency when connecting (rh #699203)
- keyfile: better handle cert/key files that don't exist (bgo #649807)
- keyfile: ignore .pem and .der file changes
- editor: improve usability for entering manual IP addresses and routes (rh #698199) (bgo #607678)
- editor: don't crash in edit_done_cb() when connection is invalid (rh #704848)
- editor: don't allow inserting 0.0.0.0 as destination and netmask for IPv4 routes
- editor: allow _ as a valid character for GSM APNs
- applet: ensure entries activate default button if Enter is pressed (rh #622487)
- applet: add gsm registration status notification
- applet: filter APN entry characters in mobile-wizard
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 22 2011 Jiří Klimeš <jklimes at redhat.com> - 0.8.4-2.git20110622
- core: respect PolicyKit permissions for creating shared WiFi networks (rh #709662)
- core: fix up checks for s390 CTC device type (bgo #649025)
- core: recognize platform 'gadget' devices
- core: only send hostname without domain as host-name option (rh #694758)
- core: clear 'invalid' connection tag when cable is re-plugged
- core: fix crash requesting system VPN secrets (bgo #651710)
- core: add MAC address blacklisting feature for WiFi and ethernet connections
- core: allow _ as a valid character for GSM APNs
- wifi: always fix up Ad-Hoc frequency when connecting (rh #699203)
- keyfile: better handle cert/key files that don't exist (bgo #649807)
- keyfile: ignore .pem and .der file changes
- editor: improve usability for entering manual IP addresses and routes (rh #698199) (bgo #607678)
- editor: don't crash in edit_done_cb() when connection is invalid (rh #704848)
- editor: don't allow inserting 0.0.0.0 as destination and netmask for IPv4 routes
- editor: allow _ as a valid character for GSM APNs
- applet: ensure entries activate default button if Enter is pressed (rh #622487)
- applet: add gsm registration status notification
- applet: filter APN entry characters in mobile-wizard
* Wed Apr 20 2011 Dan Williams <dcbw at redhat.com> - 0.8.4-1
- Update to 0.8.4
- core: fix crash starting VPN connections
- core: write usable DNS configuration on shutdown when local caching nameserver is used
- ifcfg-rh: fix writing out wifi connections changed from WPA to open (rh #695604)
* Thu Apr 14 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.999-2.git20110414
- fix location of nm-version.h again
* Thu Apr 14 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.999-1.git20110414
- Update to 0.8.3.999 (0.8.4-rc2)
- core: ensure correct supplicant options are used for wired 802.1x
- core: fix handling of S390/Hercules CTC network interfaces (rh #641986)
- core: fix handling of infinite IPv6 RDNSS timeouts (rh #689291)
- core: fix handling of WWAN enable/disable states
- core: support Easytether interfaces for Android phones
- editor: fix crash when scrolling through connection lists (rh #688844)
- applet: fix crash after using the wifi or wired secrets dialogs (rh #688535)
- applet: fix handling of "always ask" passwords (rh #692519) (rh #692578)
- editor: ensure all pages are sensitive after retrieving secrets (rh #670217)
- ifcfg-rh: fix handling of s390 CTC devices and configuration (rh #641986)
- ifcfg-rh: harmonize handling if IPADDR/PREFIX/NETMASK with initscripts (rh #658907)
* Thu Mar 24 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.998-2
- nm-version.h should be in NetworkManager-devel, not -glib-devel (rh #685442)
* Fri Mar 18 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.998-1
- Update to 0.8.3.998 (0.8.4-rc1)
- applet: don't overwrite already migrated certificate paths (rh #682288)
- core: fix some mistakenly invisible libnm-glib symbols
* Thu Mar  3 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.997-1
- Update to 0.8.3.997 (0.8.4-beta3)
- editor: fix crash requesting VPN secrets (rh #680707)
- core: keep connection timestamps in lookaside file, not in /etc
* Fri Feb 25 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.996-1
- Update to 0.8.3.996 (0.8.4-beta2)
- core: fix secrets handling (rh #680385)
* Thu Feb 24 2011 Dan Williams <dcbw at redhat.com> - 0.8.3.995-1
- Update to 0.8.3.995 (0.8.4-beta1)
- core: send hostname to DHCP server by default (rh #488975)
- core: fix updating resolv.conf (rh #672282)
- core: ensure devices are cleaned up when removed
- core: handle reverse DNS in local caching nameserver configurations
- core: IPv6 addressing, routing, and compliance fixes
- core: stop touching /etc/hosts (rh #648725)
- core: fix shutdown crashes (rh #676316)
- core: suppress messages about missing user settings service (rh #655322)
- core: seamless support for RFC3442 classless static routes (rh #639935)
- wifi: fix validity checks for Ad-Hoc APs (rh #632123)
- modem: fixes for T-Mobile Rocket 2.0 modems
- keyfile: ignore MAC address case for unmanaged-devices (rh #654714)
- ifcfg-rh: fix crash when writing connections with missing IPv4 settings (rh #655002)
- ifcfg-rh: allow missing or 0.0.0.0 GATEWAYx keys (rh #647992)
- ifcfg-rh: respect GATEWAYDEV for ibft/iSCSI configurations (rh #665027)
- ifcfg-rh: read/write IPv6 gateway correctly (rh #604334, rh #666078)
- ifcfg-rh: fix missing connections when an unmanaged interface is present
- applet: fix crashes related to missing icons (rh #657352)
- applet: show IPv6 details in Connection Information dialog (rh #591929)
* Wed Nov  3 2010 Dan Williams <dcbw at redhat.com> - 0.8.2-1
- Update to 0.8.2
* Mon Nov  1 2010 Dan Williams <dcbw at redhat.com> - 0.8.1-10
- core: preserve WiFi Enabled state across reboot and suspend/resume
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #709662 - CVE-2011-2176 NetworkManager: Did not honour PolicyKit auth_admin action element by creation of Ad-Hoc wireless networks
        https://bugzilla.redhat.com/show_bug.cgi?id=709662
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update NetworkManager' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list