A CVE has been assigned for an issue fixed upstream in 3.1.21 and 3.2.11: http://openwall.com/lists/oss-security/2014/02/13/6 http://openwall.com/lists/oss-security/2014/02/13/7 We should probably just update to the newest versions since 1) we've already been doing that on Mageia 3 and 2) 3.2.x is considered "stable" upstream now as of 3.2.9 IIRC, and we have 3.2.7 in Mageia 4. Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA4TOO, MGA3TOO
fixed with gnutls-3.1.16-1.1.mga3, gnutls-3.2.7-1.1.mga4 and gnutls-3.2.11-1.mga5
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated gnutls packages fix security vulnerability: Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior) (CVE-2014-1959). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959 http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.1.mga3 libgnutls28-3.1.16-1.1.mga3 libgnutls-ssl27-3.1.16-1.1.mga3 libgnutls-xssl0-3.1.16-1.1.mga3 libgnutls-devel-3.1.16-1.1.mga3 gnutls-3.2.7-1.1.mga4 libgnutls28-3.2.7-1.1.mga4 libgnutls-ssl27-3.2.7-1.1.mga4 libgnutls-xssl0-3.2.7-1.1.mga4 libgnutls-devel-3.2.7-1.1.mga4 from SRPMS: gnutls-3.1.16-1.1.mga3.src.rpm gnutls-3.2.7-1.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
basic testing procedure (feel free to add to it): https://bugs.mageia.org/show_bug.cgi?id=6911#c1
CC: (none) => stormiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Basic testing as per above in M3-64 goes OK. Note: as an additional test you can type e.g.: GET / HTTP/1.1 Host: www.mageia.org into gnutls-cli to simulate an HTTP request, but really this doesn't actually test the TLS but any more than a random connection, so it's somewhat pointless :)
CC: (none) => mageiaWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok
Basic testing M4-64 OK.
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Tested successfully on Mga3-32 with the procedure above.
CC: (none) => balatonWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga3-32-ok
Testing complete Mageia 4 i586. -- Validating update. Advisory has been uploaded. Please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0077.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/586796/