Bug 30691

Summary:	gnutls new security issue CVE-2022-2509
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	davidwhodgins, marja11, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	gnutls-3.6.15-3.2.mga8.src.rpm	CVE:	CVE-2022-2509
Status comment:

Description David Walser 2022-08-01 17:33:25 CEST

Fedora has issued an advisory on July 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5NRKG3OBVPVFJTDYYF6SZH5KZIWFLVPW/

The issue is fixed upstream in 3.7.7:
https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07

Comment 1 Marja Van Waes 2022-08-02 13:36:31 CEST

Assigning to the base system maintainers (there is no registered maintainer for this package).

CC: (none) => marja11
Assignee: bugsquad => basesystem

Comment 2 David Walser 2022-08-05 18:30:19 CEST

Ubuntu has issued an advisory for this on August 4:
https://ubuntu.com/security/notices/USN-5550-1

Comment 3 David Walser 2022-08-09 17:05:44 CEST

Debian has issued an advisory for this on August 8:
https://www.debian.org/security/2022/dsa-5203

Comment 4 David Walser 2022-08-17 19:06:48 CEST

SUSE has issued an advisory for this today (August 17):
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011930.html

Comment 5 Nicolas Salguero 2022-08-22 16:37:32 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. (CVE-2022-2509)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2509
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5NRKG3OBVPVFJTDYYF6SZH5KZIWFLVPW/
https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07
https://ubuntu.com/security/notices/USN-5550-1
https://www.debian.org/security/2022/dsa-5203
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011930.html
========================

Updated packages in core/updates_testing:
========================
gnutls-3.6.15-3.3.mga8
lib(64)gnutls30-3.6.15-3.3.mga8
lib(64)gnutlsxx28-3.6.15-3.3.mga8
lib(64)gnutls-devel-3.6.15-3.3.mga8

from SRPM:
gnutls-3.6.15-3.3.mga8.src.rpm

CVE: (none) => CVE-2022-2509
CC: (none) => nicolas.salguero
Assignee: basesystem => qa-bugs
Status: NEW => ASSIGNED

Comment 6 Dave Hodgins 2022-08-24 22:34:22 CEST

No regressions noticed or reported. Validating.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-08-24 23:03:57 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-08-25 23:23:02 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0301.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED