Bug 12763

Summary: gnutls new security issue CVE-2014-1959
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: balaton, fundawang, mageia, oe, rverschelde, stormi-mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/586796/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
Source RPM: gnutls CVE:
Status comment:

Description David Walser 2014-02-14 00:00:01 CET 
A CVE has been assigned for an issue fixed upstream in 3.1.21 and 3.2.11:
http://openwall.com/lists/oss-security/2014/02/13/6
http://openwall.com/lists/oss-security/2014/02/13/7

We should probably just update to the newest versions since 1) we've already been doing that on Mageia 3 and 2) 3.2.x is considered "stable" upstream now as of 3.2.9 IIRC, and we have 3.2.7 in Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-14 00:00:22 CET

CC: (none) => fundawang
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-02-14 08:11:54 CET 
fixed with gnutls-3.1.16-1.1.mga3, gnutls-3.2.7-1.1.mga4 and gnutls-3.2.11-1.mga5

CC: (none) => oe

Comment 2 David Walser 2014-02-14 17:30:12 CET 
Thanks Oden!

Advisory:
========================

Updated gnutls packages fix security vulnerability:

Suman Jana reported a vulnerability that affects the certificate verification
functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate
certificate will be considered as a CA certificate by default (something that
deviates from the documented behavior) (CVE-2014-1959).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.1.mga3
libgnutls28-3.1.16-1.1.mga3
libgnutls-ssl27-3.1.16-1.1.mga3
libgnutls-xssl0-3.1.16-1.1.mga3
libgnutls-devel-3.1.16-1.1.mga3
gnutls-3.2.7-1.1.mga4
libgnutls28-3.2.7-1.1.mga4
libgnutls-ssl27-3.2.7-1.1.mga4
libgnutls-xssl0-3.2.7-1.1.mga4
libgnutls-devel-3.2.7-1.1.mga4

from SRPMS:
gnutls-3.1.16-1.1.mga3.src.rpm
gnutls-3.2.7-1.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Samuel Verschelde 2014-02-15 13:24:35 CET 
basic testing procedure (feel free to add to it):

https://bugs.mageia.org/show_bug.cgi?id=6911#c1

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Colin Guthrie 2014-02-15 14:28:04 CET 
Basic testing as per above in M3-64 goes OK.

Note: as an additional test you can type e.g.:

GET / HTTP/1.1
Host: www.mageia.org

into gnutls-cli to simulate an HTTP request, but really this doesn't actually test the TLS but any more than a random connection, so it's somewhat pointless :)

CC: (none) => mageia
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok

Comment 5 Colin Guthrie 2014-02-15 14:29:36 CET 
Basic testing M4-64 OK.

Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Comment 6 Zoltan Balaton 2014-02-15 18:50:04 CET 
Tested successfully on Mga3-32 with the procedure above.

CC: (none) => balaton
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga3-32-ok

Comment 7 RĂ©mi Verschelde 2014-02-16 13:20:05 CET 
Testing complete Mageia 4 i586.

--

Validating update. Advisory has been uploaded. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 8 Thomas Backlund 2014-02-16 14:49:06 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0077.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-02-18 17:49:35 CET

URL: (none) => http://lwn.net/Vulnerabilities/586796/