| Summary: | gnutls new security issues CVE-2018-1084[4-6] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, guillomovitch, herman.viaene, marja11, nicolas.salguero, pterjan, smelror, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | gnutls-3.5.13-1.mga6.src.rpm | CVE: | CVE-2018-10844, CVE-2018-10845, CVE-2018-10846 |
| Status comment: | |||
|
Description
David Walser
2018-10-13 00:45:28 CEST
David Walser
2018-10-13 00:45:35 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers. Assignee:
bugsquad =>
pkg-bugs Hi, Version 3.6.3 (Cauldron) already contains the fixes for those issues. Best regards, Nico. CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix security vulnerabilities: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. (CVE-2018-10844) It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. (CVE-2018-10845) A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets. (CVE-2018-10846) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846 https://lists.opensuse.org/opensuse-updates/2018-09/msg00147.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00000.html ======================== Updated packages in core/updates_testing: ======================== gnutls-3.5.13-1.1.mga6 lib(64)gnutls30-3.5.13-1.1.mga6 lib(64)gnutlsxx28-3.5.13-1.1.mga6 lib(64)gnutls-devel-3.5.13-1.1.mga6 from SRPMS: gnutls-3.5.13-1.1.mga6.src.rpm Whiteboard:
MGA6TOO =>
(none) MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 20417 Comment 11: I installed xombrero, point it to google, enter "apod" in the search field and select the astronomical picture of the day. Very nice. Whiteboard:
(none) =>
MGA6-32-OK Performed the same test with 64-bit, because it sounded really easy, and indeed it looks very nice. OK for 64-bit. Validating. Advisory in Comment 3. Whiteboard:
MGA6-32-OK =>
MGA6-64-OK MGA6-32-OK
Thomas Backlund
2018-11-03 11:57:04 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0435.html Resolution:
(none) =>
FIXED |