Fedora has issued an advisory on October 27: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html The issue is fixed upstream in 3.1.15 and 3.2.5. Mageia 3 is also affected. Mageia 2 is not. Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated gnutls packages fix security vulnerability: A DNS server that returns more 4 DANE entries could corrupt the memory of a requesting client using the DANE library from GnuTLS before 3.1.15 and 3.2.5 (CVE-2013-4466). This updates GnuTLS to version 3.1.16, fixing this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4466 http://www.gnutls.org/security.html#GNUTLS-SA-2013-3 http://lists.gnutls.org/pipermail/gnutls-help/2013-August/003216.html http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003250.html http://lists.gnutls.org/pipermail/gnutls-help/2013-October/003262.html https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119788.html ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.mga3 libgnutls28-3.1.16-1.mga3 libgnutls-ssl27-3.1.16-1.mga3 libgnutls-xssl0-3.1.16-1.mga3 libgnutls-devel-3.1.16-1.mga3 from gnutls-3.1.16-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugs
Just in case anyone wonders, I updated to 3.1.16 because it fixed a regression in the CVE-2013-4466 fix in 3.1.15. This regression itself was allocated CVE-2013-4487, which we don't need to add to our advisory, since we never issued an update for 3.1.15. http://lwn.net/Vulnerabilities/574202/
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1 "gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.
Whiteboard: advisory => advisory has_procedure
Testing complete mga2 32 & 64 Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: advisory has_procedure => advisory has_procedure mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
oops mga3 above :D
Whiteboard: advisory has_procedure mga2-32-ok mga2-64-ok => advisory has_procedure mga3-32-ok mga3-64-ok
Update pushed: http://advisories.mageia.org/MGASA-2013-0354.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED