Bug 11561

Summary: gnutls new security issue CVE-2013-4466
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/572103/
Whiteboard: advisory has_procedure mga3-32-ok mga3-64-ok
Source RPM: gnutls-3.1.13-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-29 20:25:07 CET 
Fedora has issued an advisory on October 27:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html

The issue is fixed upstream in 3.1.15 and 3.2.5.

Mageia 3 is also affected.  Mageia 2 is not.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-05 21:27:55 CET 
Updated packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

A DNS server that returns more 4 DANE entries could corrupt the memory of a
requesting client using the DANE library from GnuTLS before 3.1.15 and 3.2.5
(CVE-2013-4466).

This updates GnuTLS to version 3.1.16, fixing this issue and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4466
http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
http://lists.gnutls.org/pipermail/gnutls-help/2013-August/003216.html
http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003250.html
http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003262.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.mga3
libgnutls28-3.1.16-1.mga3
libgnutls-ssl27-3.1.16-1.mga3
libgnutls-xssl0-3.1.16-1.mga3
libgnutls-devel-3.1.16-1.mga3

from gnutls-3.1.16-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2013-11-18 21:34:49 CET 
Just in case anyone wonders, I updated to 3.1.16 because it fixed a regression in the CVE-2013-4466 fix in 3.1.15.  This regression itself was allocated CVE-2013-4487, which we don't need to add to our advisory, since we never issued an update for 3.1.15.

http://lwn.net/Vulnerabilities/574202/
Dave Hodgins 2013-11-26 20:25:34 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 claire robinson 2013-11-27 15:38:31 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1

"gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.

Whiteboard: advisory => advisory has_procedure

Comment 4 claire robinson 2013-11-27 15:45:40 CET 
Testing complete mga2 32 & 64

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: advisory has_procedure => advisory has_procedure mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2013-11-27 15:45:55 CET 
oops mga3 above :D
claire robinson 2013-11-27 15:46:12 CET

Whiteboard: advisory has_procedure mga2-32-ok mga2-64-ok => advisory has_procedure mga3-32-ok mga3-64-ok

Comment 6 Thomas Backlund 2013-11-30 22:44:12 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0354.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED