Bug 19358

Summary: gnutls new security issue GNUTLS-SA-2016-3 (CVE-2016-7444)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/700652/
Whiteboard: MGA5-32-OK advisory
Source RPM: gnutls-3.2.21-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-14 19:17:37 CEST 
Fedora has issued an advisory on September 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/

The issue is fixed upstream in 3.4.15.  Freeze push requested for Cauldron.

Patch checked in to Mageia 5 SVN.
Comment 1 David Walser 2016-09-14 21:44:27 CEST 
Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated gnutls packages fix security vulnerabilities:

An issue was found in certificate validation using OCSP responses caused by not
verifying the serial length, which can falsely report a certificate as valid
(GNUTLS-SA-2016-3).

References:
http://gnutls.org/security.html#GNUTLS-SA-2016-3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/
========================

Updated packages in core/updates_testing:
========================
gnutls-3.2.21-1.2.mga5
libgnutls28-3.2.21-1.2.mga5
libgnutls-ssl27-3.2.21-1.2.mga5
libgnutls-xssl0-3.2.21-1.2.mga5
libgnutls-devel-3.2.21-1.2.mga5

from gnutls-3.2.21-1.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2016-09-16 11:06:24 CEST 
MGA5-32 on Acer D620 Xfce
No installation issues.
Followed test as per bug 15504 Comment 14
at CLI:
$ gnutls-cli www.mageia.org
Processed 199 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
and more info
ctrl-z out

CC: (none) => herman.viaene

Herman Viaene 2016-09-16 11:06:43 CEST

Whiteboard: (none) => MGA5-32-OK

Comment 3 David Walser 2016-09-19 18:48:54 CEST 
This has been assigned CVE-2016-7444:
http://openwall.com/lists/oss-security/2016/09/18/7

Advisory:
========================

Updated gnutls packages fix security vulnerabilities:

An issue was found in certificate validation using OCSP responses caused by not
verifying the serial length, which can falsely report a certificate as valid
(CVE-2016-7444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7444
http://gnutls.org/security.html#GNUTLS-SA-2016-3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/
http://openwall.com/lists/oss-security/2016/09/18/7

Summary: gnutls new security issue GNUTLS-SA-2016-3 => gnutls new security issue GNUTLS-SA-2016-3 (CVE-2016-7444)

Dave Hodgins 2016-09-28 04:09:21 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-09-28 08:00:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0326.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED