| Summary: | gnutls new security issues CVE-2024-2883[45] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | gnutls-3.8.0-2.2.mga9.src.rpm | CVE: | CVE-2024-28834, CVE-2024-28835 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-03-20 14:13:07 CET
Nicolas Salguero
2024-03-20 14:13:38 CET
CVE:
(none) =>
CVE-2024-28834, CVE-2024-28835 Unsure who to assign to. NicolasS committed 3.8.2, 3.8.3 for security fixes, is implictly CC"d. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix security vulnerabilities: The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. (CVE-2024-28834) A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. (CVE-2024-28835) References: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.365688 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.4-1.mga9 lib(64)gnutls-dane0-3.8.4-1.mga9 lib(64)gnutls-devel-3.8.4-1.mga9 lib(64)gnutls30-3.8.4-1.mga9 lib(64)gnutlsxx30-3.8.4-1.mga9 from SRPM: gnutls-3.8.4-1.mga9.src.rpm Assignee:
pkg-bugs =>
qa-bugs
PC LX
2024-03-22 18:58:42 CET
CC:
(none) =>
mageia
katnatek
2024-03-22 20:00:24 CET
Keywords:
(none) =>
advisory RH Test install current versions and update
LC_ALL=C urpmi gnutls lib64gnutls-dane0 lib64gnutls-devel lib64gnutls30 lib64gnutlsxx30
Package lib64gnutls30-3.8.0-2.2.mga9.x86_64 is already installed
Marking lib64gnutls30 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "QA Testing (64-bit)")
lib64python3-devel 3.10.11 1.1.mga9 x86_64
lib64python3.10-testsuite 3.10.11 1.1.mga9 x86_64 (recommended)
python3-docs 3.10.11 1.1.mga9 noarch (recommended)
(medium "Core Release (distrib1)")
lib64event-devel 2.1.12 4.mga9 x86_64
lib64ffi-devel 3.4.4 1.mga9 x86_64
lib64gmp-devel 6.2.1 3.mga9 x86_64
lib64mnl-devel 1.0.5 1.mga9 x86_64
lib64nettle-devel 3.9 1.mga9 x86_64
lib64p11-kit-devel 0.24.1 2.mga9 x86_64
lib64tasn1-devel 4.19.0 1.mga9 x86_64
libtasn1-tools 4.19.0 1.mga9 x86_64
(medium "Core Updates (distrib3)")
gnutls 3.8.0 2.2.mga9 x86_64
lib64gnutls-dane0 3.8.0 2.2.mga9 x86_64
lib64gnutls-devel 3.8.0 2.2.mga9 x86_64
lib64gnutlsxx30 3.8.0 2.2.mga9 x86_64
lib64unbound-devel 1.19.1 1.mga9 x86_64
155MB of additional disk space will be used.
22MB of packages will be retrieved.
Proceed with the installation of the 16 packages? (Y/n) y
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tasn1-devel-4.19.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64event-devel-2.1.12-4.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64mnl-devel-1.0.5-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64gmp-devel-6.2.1-3.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64p11-kit-devel-0.24.1-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/libtasn1-tools-4.19.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nettle-devel-3.9-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64ffi-devel-3.4.4-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutls-devel-3.8.0-2.2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64unbound-devel-1.19.1-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/gnutls-3.8.0-2.2.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/libtasn1-tools-4.19.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64p11-kit-devel-0.24.1-2.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/python3-docs-3.10.11-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/lib64unbound-devel-1.19.1-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64event-devel-2.1.12-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nettle-devel-3.9-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/lib64python3-devel-3.10.11-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64gmp-devel-6.2.1-3.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64mnl-devel-1.0.5-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64tasn1-devel-4.19.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64ffi-devel-3.4.4-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/gnutls-3.8.0-2.2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64gnutls-devel-3.8.0-2.2.mga9.x86_64.rpm
Preparing... ######################################################################################
1/16: lib64gnutls-dane0 ######################################################################################
2/16: lib64gmp-devel ######################################################################################
3/16: lib64nettle-devel ######################################################################################
4/16: gnutls ######################################################################################
5/16: lib64ffi-devel ######################################################################################
6/16: lib64p11-kit-devel ######################################################################################
7/16: lib64gnutlsxx30 ######################################################################################
8/16: lib64mnl-devel ######################################################################################
9/16: lib64python3.10-testsuite
######################################################################################
10/16: lib64event-devel ######################################################################################
11/16: python3-docs ######################################################################################
12/16: lib64python3-devel ######################################################################################
13/16: lib64unbound-devel ######################################################################################
14/16: libtasn1-tools ######################################################################################
15/16: lib64tasn1-devel ######################################################################################
16/16: lib64gnutls-devel ######################################################################################
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing lib64gnutls30-3.8.4-1.mga9.x86_64.rpm lib64gnutls-dane0-3.8.4-1.mga9.x86_64.rpm lib64gnutls-devel-3.8.4-1.mga9.x86_64.rpm lib64gnutlsxx30-3.8.4-1.mga9.x86_64.rpm gnutls-3.8.4-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ######################################################################################
1/5: lib64gnutls30 ######################################################################################
2/5: lib64gnutls-dane0 ######################################################################################
3/5: gnutls ######################################################################################
4/5: lib64gnutlsxx30 ######################################################################################
5/5: lib64gnutls-devel ######################################################################################
1/5: removing lib64gnutls-devel-3.8.0-2.2.mga9.x86_64
######################################################################################
2/5: removing gnutls-3.8.0-2.2.mga9.x86_64
######################################################################################
3/5: removing lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64
######################################################################################
4/5: removing lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64
######################################################################################
5/5: removing lib64gnutls30-3.8.0-2.2.mga9.x86_64
######################################################################################
writing /var/lib/rpm/installed-through-deps.list
Not understand how reproduce test of previous rounds gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done This is what I see if I point the browser to http://localhost:5556/ � gnutls-cli mageia.org Looks well for me Installed and tested without issues. This updated has been in use for over two days without issues. Tested gnutls-serv as HTTP server with valid certificate and several HTTP clients. HTTP server with valid certificate; gnutls-serv --sni-hostname=example.com --http --x509keyfile=example.com.key --x509certfile=example.com.cert --port=8080 HTTP clients: gnutls-cli, sslscan, curl, wget, aria2c, firefox, chromium. All OK. Server System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep -P 'gnutls.*3\.8\.4' | sort gnutls-3.8.4-1.mga9 lib64gnutls30-3.8.4-1.mga9 lib64gnutls-dane0-3.8.4-1.mga9 Workstation System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep 'gnutls.*3\.8\.4' | sort gnutls-3.8.4-1.mga9 lib64gnutls30-3.8.4-1.mga9 lib64gnutls-dane0-3.8.4-1.mga9 libgnutls30-3.8.4-1.mga9
katnatek
2024-03-25 18:39:55 CET
CC:
(none) =>
andrewsfarm
katnatek
2024-03-25 18:40:14 CET
Whiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0089.html Resolution:
(none) =>
FIXED |