Bug 30112

Summary: gnutls new security issue CVE-2021-4209
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: gnutls-3.6.15-3.1.mga8.src.rpm CVE: CVE-2021-4209
Status comment:

Description David Walser 2022-03-03 22:09:48 CET 
SUSE has issued an advisory on March 2:
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010333.html

The issue is fixed upstream in 3.7.3.
David Walser 2022-03-03 22:11:30 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-03-04 19:34:51 CET 
openSUSE has issued an advisory for this on March 3:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RI5PFWTNO6UDYFJ3HLMKV5PQYAJ77E46/
Comment 2 Nicolas Salguero 2022-03-05 09:28:07 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Null pointer dereference in MD_UPDATE. (CVE-2021-4209)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4209
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010333.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RI5PFWTNO6UDYFJ3HLMKV5PQYAJ77E46/
========================

Updated packages in core/updates_testing:
========================
gnutls-3.6.15-3.2.mga8
lib(64)gnutls30-3.6.15-3.2.mga8
lib(64)gnutlsxx28-3.6.15-3.2.mga8
lib(64)gnutls-devel-3.6.15-3.2.mga8

from SRPM:
gnutls-3.6.15-3.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-4209
Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream => (none)

Comment 3 PC LX 2022-03-11 17:55:38 CET 
Installed and tested without issue.

This update has been in use for several days know and several core packages depend on gnutls. Along with the normal workstation usage, I also did some explicit tests with aria2c (a gnutls user) and nothing broke so this update gets an OK from me.

Please unOK if you find any issues.



System: Mageia 8, x86_654, Intel CPU.



$ uname -a
Linux marte 5.15.25-desktop-1.mga8 #1 SMP Wed Feb 23 19:39:18 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gnutls.*3.6.15 | sort
gnutls-3.6.15-3.2.mga8
lib64gnutls30-3.6.15-3.2.mga8
libgnutls30-3.6.15-3.1.mga8

Whiteboard: (none) => MGA8-64-OK
CC: (none) => mageia

Comment 4 Dave Hodgins 2022-03-11 21:46:05 CET 
No regressions noticed. Validating the update. Advisory committed to svn.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Mageia Robot 2022-03-12 04:08:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0098.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED