Bug 17467

Summary: gnutls, nss, openssl new security issue CVE-2015-7575
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/669862/
Whiteboard:
Source RPM: gnutls, nss, openssl CVE:
Status comment:

Description David Walser 2016-01-08 17:43:46 CET 
RedHat has issued advisories on January 7:
https://rhn.redhat.com/errata/RHSA-2016-0012.html
https://rhn.redhat.com/errata/RHSA-2016-0007.html
https://rhn.redhat.com/errata/RHSA-2016-0008.html

RedHat's bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1289841

points to an OpenSSL commit from 2013 that fixes it, so I believe we're not affected there.  OpenSSL also has no new security advisory this week.

For gnutls, the patch they applied:
https://git.centos.org/raw/rpms!gnutls.git/4c24d76d039c9447f3fc6d70a32377b19f238521/SOURCES!gnutls-3.3.8-md5-downgrade.patch

has already been applied upstream in the version of gnutls that we have.

For NSS, we have the newest version 3.21.  It was fixed, that I know of, in 3.20.2, which came out later, but I'm assuming it was also fixed in 3.21, otherwise they would have issued 3.21.1.  If I'm wrong, I'm sure they will fix it in 3.21.1, which will go out with our normal Firefox updates.

So, we're not affected by this.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-08 17:44:03 CET 
Just filed this to have it documented.

Status: NEW => RESOLVED
Resolution: (none) => INVALID