Bug 9038

Summary: [Update Request] Update gnutls to 3.0.28 to fix CVE-2013-1619
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Source RPM: gnutls-3.0.28-2.mga2 CVE:
Status comment:

Description Funda Wang 2013-02-11 13:04:05 CET 
Hello,

Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above problem.

Please note that as gnutls 3.0.28 now requires libtasn1 >= 2.14, newer version of libtasn is also required to have gnutls 3.0.28 installed.
Comment 1 claire robinson 2013-02-11 15:02:21 CET 
SRPM: gnutls-3.0.28-2.mga2.src.rpm                                                                                          
----------------------------------
gnutls
lib64gnutls28
lib64gnutls-devel
lib64gnutls-ssl27

Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2013-02-11 15:03:14 CET 
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1
Comment 3 claire robinson 2013-02-11 15:12:28 CET 
So 2 SRPM's in this update.

SRPM: libtasn1-2.14-1.mga2.src.rpm
----------------------------------
lib64tasn1_3
lib64tasn1-devel
libtasn1-tools
Comment 4 claire robinson 2013-02-11 15:18:20 CET 
Testing complete mga2 64

Confirmed the update requires the new lib64tasn1_3

# urpmi gnutls
Marking gnutls as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  gnutls                         3.0.28       2.mga2        x86_64
  lib64gnutls-devel              3.0.28       2.mga2        x86_64
  lib64gnutls-ssl27              3.0.28       2.mga2        x86_64
  lib64gnutls28                  3.0.28       2.mga2        x86_64
  lib64tasn1-devel               2.14         1.mga2        x86_64
  lib64tasn1_3                   2.14         1.mga2        x86_64
74KB of additional disk space will be used.
1.8MB of packages will be retrieved.

$ gnutls-cli www.mageia.org
Processed 181 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '217.70.188.116:443'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'www.mageia.org'.
..etc


Depchecked OK. Added requires are provided in updates.

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 5 claire robinson 2013-02-11 18:28:23 CET 
Testing complete mga2 32

The versioned require is on libgnutls28 rather than gnutls itself, so gnutls doesn't require the correct lib version and fails.


$ gnutls-cli www.mageia.org
gnutls-cli: relocation error: gnutls-cli: symbol gnutls_certificate_set_x509_system_trust, version GNUTLS_3_0_0 not defined in file libgnutls.so.28 with link time reference

After installing the updated libgnutls28 which requires the correct version of libtasn1_3 it works as expected.

I don't see this as an issue as it should install the latest version found in updates when installed from scratch and we don't officially support cherrypicking updates.

Confirmed libgnutls28 does require the updated libtasn1_3.
Comment 6 claire robinson 2013-02-11 18:31:04 CET 
Validating

Advisory
--------
Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of
the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using
timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above
problem.
--------

SRPMs:
gnutls-3.0.28-2.mga2.src.rpm 
libtasn1-2.14-1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 7 Funda Wang 2013-02-12 08:46:41 CET 
OK, I've pushed gnutls-3.0.28-3.mga2 into updates_testing so that correct version of libs are required.
Comment 8 Thomas Backlund 2013-02-12 10:46:36 CET 
validation dropped due to rebuild of gnutls

Keywords: validated_update => (none)
CC: (none) => tmb
Whiteboard: has_procedure mga2-64-ok mga2-32-ok => has_procedure

Comment 9 claire robinson 2013-02-12 14:09:25 CET 
Retesting mga2 64 complete

# dcupdt
Disabling Core Updates Testing
# rpm -e --nodeps lib64tasn1_3
# urpmi lib64tasn1_3
Marking lib64tasn1_3 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
installing lib64tasn1_3-2.12-1.mga2.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #########################
      1/1: lib64tasn1_3          #########################

# urpmi gnutls
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  gnutls                         3.0.28       3.mga2        x86_64
  lib64gnutls-devel              3.0.28       3.mga2        x86_64
  lib64gnutls-ssl27              3.0.28       3.mga2        x86_64
  lib64gnutls28                  3.0.28       3.mga2        x86_64
  lib64tasn1_3                   2.14         1.mga2        x86_64
16B of disk space will be freed.
1.8MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) y

$ gnutls-cli www.mageia.org
Processed 181 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '217.70.188.116:443'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'www.mageia.org'.
...etc

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 10 claire robinson 2013-02-12 14:28:59 CET 
Completed mga2 32

ReValidating

Advisory
--------
Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of
the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using
timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above
problem.
--------

SRPMs:
gnutls-3.0.28-3.mga2.src.rpm 
libtasn1-2.14-1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 11 Thomas Backlund 2013-02-13 00:59:49 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0050

Status: NEW => RESOLVED
Resolution: (none) => FIXED