Bug 26444

Summary: gnutls new security issue CVE-2020-11501
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: gnutls-3.6.7-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-06 22:34:05 CEST 
Debian has issued an advisory on April 4:
https://www.debian.org/security/2020/dsa-4652

The issue is fixed upstream in 3.6.13.
Comment 1 Lewis Smith 2020-04-07 09:56:24 CEST 
Assigning to you, DavidG, as having committed this previously. No registered maintainer.
It looks as if DavidW has just committed 3.6.13.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2020-04-07 14:41:11 CEST 
Done for mga7!
Comment 3 David Walser 2020-04-07 15:41:23 CEST 
Advisory:
========================

Updated gnutls packages fix security vulnerability:

A flaw was reported in the DTLS protocol implementation in GnuTLS. The DTLS
client would not contribute any randomness to the DTLS negotiation, breaking
the security guarantees of the DTLS protocol (CVE-2020-11501).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501
https://www.debian.org/security/2020/dsa-4652
========================

Updated packages in core/updates_testing:
========================
gnutls-3.6.7-1.1.mga7
libgnutls30-3.6.7-1.1.mga7
libgnutlsxx28-3.6.7-1.1.mga7
libgnutls-devel-3.6.7-1.1.mga7

from gnutls-3.6.7-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 4 David Walser 2020-04-08 01:42:45 CEST 
Ubuntu has issued an advisory for this today (April 7):
https://usn.ubuntu.com/4322-1/

Severity: normal => major

Comment 5 Herman Viaene 2020-04-08 14:29:25 CEST 
MGA7-64 Plasma on Lenovo B50
No installation isssues.
Ref to previous bug is no help, the xombrero package isn't anymore in the repos.
Testing it own commands:
$ gnutls-cli <mywebsever>
Processed 156 CA certificate(s).
Resolving '<mywebsever>:443'...
Connecting to '192.168.2.1:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x00e3ee000a2bf5d3c8, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-12-29 13:19:18 UTC', expires `2020-12-28 13:19:18 UTC', pin-sha256="lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo="
        Public Key ID:
                sha1:d7f2bb1732d7012d2db625f09f249e45fe4b222d
                sha256:9504d6ed728bacfb878addcaa5d87eb534982bf1e62fe86bee00729af117a44a
        Public Key PIN:
                pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

That's fair enough.

$ gnutls-serv 
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

pointed the browser to http://localhost:5556/ and got answer, but only some binary data.
Good enough to prove the thing works.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-04-09 00:04:43 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-15 10:42:43 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-04-15 12:13:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0168.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED