Bug 11561 - gnutls new security issue CVE-2013-4466
: gnutls new security issue CVE-2013-4466
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/572103/
: advisory has_procedure mga3-32-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-29 20:25 CET by David Walser
Modified: 2013-11-30 22:44 CET (History)
3 users (show)

See Also:
Source RPM: gnutls-3.1.13-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-10-29 20:25:07 CET
Fedora has issued an advisory on October 27:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html

The issue is fixed upstream in 3.1.15 and 3.2.5.

Mageia 3 is also affected.  Mageia 2 is not.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-05 21:27:55 CET
Updated packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

A DNS server that returns more 4 DANE entries could corrupt the memory of a
requesting client using the DANE library from GnuTLS before 3.1.15 and 3.2.5
(CVE-2013-4466).

This updates GnuTLS to version 3.1.16, fixing this issue and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4466
http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
http://lists.gnutls.org/pipermail/gnutls-help/2013-August/003216.html
http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003250.html
http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003262.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.mga3
libgnutls28-3.1.16-1.mga3
libgnutls-ssl27-3.1.16-1.mga3
libgnutls-xssl0-3.1.16-1.mga3
libgnutls-devel-3.1.16-1.mga3

from gnutls-3.1.16-1.mga3.src.rpm
Comment 2 David Walser 2013-11-18 21:34:49 CET
Just in case anyone wonders, I updated to 3.1.16 because it fixed a regression in the CVE-2013-4466 fix in 3.1.15.  This regression itself was allocated CVE-2013-4487, which we don't need to add to our advisory, since we never issued an update for 3.1.15.

http://lwn.net/Vulnerabilities/574202/
Comment 3 claire robinson 2013-11-27 15:38:31 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1

"gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.
Comment 4 claire robinson 2013-11-27 15:45:40 CET
Testing complete mga2 32 & 64

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 5 claire robinson 2013-11-27 15:45:55 CET
oops mga3 above :D
Comment 6 Thomas Backlund 2013-11-30 22:44:12 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0354.html

Note You need to log in before you can comment on or make changes to this bug.