Bug 20099

Summary: gnutls new security issues CVE-2017-533[4-7] and CVE-2016-8610
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, marja11, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/711464/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: gnutls-3.2.21-1.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-11 11:54:37 CET 
GnuTLS has issued advisories GNUTLS-SA-2017-1 and GNUTLS-SA-2017-2 on January 9:
http://www.gnutls.org/security.html

The issues are fixed in 3.3.26 and 3.5.8.

CVEs have been assigned for the issues:
http://openwall.com/lists/oss-security/2017/01/11/4

Upstream commits to fix the issues are linked in the message above.

Cauldron has already been updated to 3.5.8.
Comment 1 Marja Van Waes 2017-01-11 22:04:25 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2017-01-13 12:25:54 CET

URL: (none) => https://lwn.net/Vulnerabilities/711464/

Comment 2 David Walser 2017-01-31 12:12:38 CET 
gnutls in Mageia 5 is also affected by CVE-2016-8610, fixed in this commit:
https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e

SUSE has issued an advisory for this on January 27:
https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00063.html

Summary: gnutls new security issues CVE-2017-533[4-7] => gnutls new security issues CVE-2017-533[4-7] and CVE-2016-8610
Severity: normal => major

Comment 3 Nicolas Salguero 2017-02-17 14:26:54 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Remote denial of service in SSL alert handling. (CVE-2016-8610)

In gnutls_x509_ext_import_proxy: if the language was set but the policy wasn't, that could lead to a double free. (CVE-2017-5334)

Decoding a specially crafted OpenPGP certificate could have lead to heap and stack overflows. (CVE-2017-5335, CVE-2017-5336 and CVE-2017-5337)

References:
https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00063.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610
http://www.gnutls.org/security.html
http://openwall.com/lists/oss-security/2017/01/11/4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337
========================

Updated packages in core/updates_testing:
========================
gnutls-3.2.21-1.3.mga5
lib(64)gnutls28-3.2.21-1.3.mga5
lib(64)gnutls-ssl27-3.2.21-1.3.mga5
lib(64)gnutls-xssl0-3.2.21-1.3.mga5
lib(64)gnutls-devel-3.2.21-1.3.mga5

from SRPMS:
gnutls-3.2.21-1.3.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-02-19 18:38:35 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Dave Hodgins 2017-02-20 04:52:46 CET 
Testing complete on Mageia 5 i586 and x86_64 using
https://bugs.mageia.org/show_bug.cgi?id=6911#c1

Validating the update

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-02-20 14:01:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0053.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED