| Summary: | gnutls new security issue CVE-2014-0092 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | arnaud, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/589237/ | ||
| Whiteboard: | MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | gnutls-3.2.11-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-03-03 16:52:39 CET
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated gnutls packages fix security vulnerability: It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification in GnuTLS before 3.1.22 and 3.2.12. When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure. A specially-crafted certificate can be accepted by GnuTLS as valid even if it wasn't issued by any trusted Certificate Authority. This can be used to perform man-in-the-middle attacks against applications using GnuTLS (CVE-2014-0092). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 http://gnutls.org/security.html#GNUTLS-SA-2014-2 https://bugzilla.redhat.com/show_bug.cgi?id=1069865 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.2.mga3 libgnutls28-3.1.16-1.2.mga3 libgnutls-ssl27-3.1.16-1.2.mga3 libgnutls-xssl0-3.1.16-1.2.mga3 libgnutls-devel-3.1.16-1.2.mga3 gnutls-3.2.7-1.2.mga4 libgnutls28-3.2.7-1.2.mga4 libgnutls-ssl27-3.2.7-1.2.mga4 libgnutls-xssl0-3.2.7-1.2.mga4 libgnutls-devel-3.2.7-1.2.mga4 from SRPMS: gnutls-3.1.16-1.2.mga3.src.rpm gnutls-3.2.7-1.2.mga4.src.rpm Version:
Cauldron =>
4 no poc found and not further information available for testing. Using this: https://bugs.mageia.org/show_bug.cgi?id=6911#c1 to show that handshake works with "gnutls-cli www.mageia.org" testing MGA3 32bit is working fine. Whiteboard:
MGA3TOO =>
MGA3TOO MGA3-32-OK tested the same procedure with no findings on following systems - MGA3 64bit - MGA4 32bit - MGA4 64bit as long as there is no further test procedure, this update can be validated after the advisory is uploaded. Whiteboard:
MGA3TOO MGA3-32-OK =>
MGA3TOO MGA4-32-OK MGA3-64-OK MGA4-32-OK MGA-64-OK
Marc Lattemann
2014-03-03 20:24:34 CET
Whiteboard:
MGA3TOO MGA4-32-OK MGA3-64-OK MGA4-32-OK MGA-64-OK =>
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK RedHat has issued an advisory for this: https://rhn.redhat.com/errata/RHSA-2014-0246.html Updating our advisory. Advisory: ======================== Updated gnutls packages fix security vulnerability: It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 http://gnutls.org/security.html#GNUTLS-SA-2014-2 https://rhn.redhat.com/errata/RHSA-2014-0246.html Advisory uploaded, validating Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0117.html Status:
NEW =>
RESOLVED
David Walser
2014-03-04 18:37:00 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/589237/ |