Bug 6911

Summary: gnutls missing update for CVE-2012-0390
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/486067/
Whiteboard: has_procedure MGA1-32-OK MGA1-64-OK
Source RPM: gnutls-2.10.5-2.2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-07-31 02:02:47 CEST 
OpenSuSE issued an advisory on March 9:
http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html

This is fixed in the version of gnutls we have in Mageia 2.

Patched package uploaded for Mageia 1.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain
error-handling code only if there is a specific relationship between a
padding length and the ciphertext size, which makes it easier for remote
attackers to recover partial plaintext via a timing side-channel attack
(CVE-2012-0390).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0390
http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html
========================

Updated packages in core/updates_testing:
========================
gnutls-2.10.5-2.3.mga1
libgnutls26-2.10.5-2.3.mga1
libgnutls-devel-2.10.5-2.3.mga1

from gnutls-2.10.5-2.3.mga1.src.rpm
Comment 1 Samuel Verschelde 2012-08-05 16:59:34 CEST 
The only changed file is in the packages is /usr/lib/libgnutls.so.26.16.14 from libgnutls26 (i586), and also devel files from libgnutls-devel. gnutls itself is unchanged.

"gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.

CC: (none) => stormi
Whiteboard: (none) => has_procedure MGA1-32-OK

Comment 2 Samuel Verschelde 2012-08-05 17:14:35 CEST 
No exploit found.
Comment 3 Samuel Verschelde 2012-08-05 20:21:49 CEST 
Testing complete Mageia 1 64.

Update validated.

See comment #0 for advisory and SRPM.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK

Samuel Verschelde 2012-08-05 20:22:24 CEST

CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2012-08-06 18:58:22 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0202

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED