Upstream has released new versions today (March 3), fixing a security issue: http://openwall.com/lists/oss-security/2014/03/03/2 The issue is fixed in 3.1.22 and 3.2.12. The commits that fix it... 3.1.x: https://www.gitorious.org/gnutls/gnutls/commit/a79aed24327cfb2771062956399d5a54ede1e923 3.2.x: https://www.gitorious.org/gnutls/gnutls/commit/855127da290a280df839038671ae6aba01957736 Reproducible: Steps to Reproduce:
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated gnutls packages fix security vulnerability: It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification in GnuTLS before 3.1.22 and 3.2.12. When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure. A specially-crafted certificate can be accepted by GnuTLS as valid even if it wasn't issued by any trusted Certificate Authority. This can be used to perform man-in-the-middle attacks against applications using GnuTLS (CVE-2014-0092). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 http://gnutls.org/security.html#GNUTLS-SA-2014-2 https://bugzilla.redhat.com/show_bug.cgi?id=1069865 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.2.mga3 libgnutls28-3.1.16-1.2.mga3 libgnutls-ssl27-3.1.16-1.2.mga3 libgnutls-xssl0-3.1.16-1.2.mga3 libgnutls-devel-3.1.16-1.2.mga3 gnutls-3.2.7-1.2.mga4 libgnutls28-3.2.7-1.2.mga4 libgnutls-ssl27-3.2.7-1.2.mga4 libgnutls-xssl0-3.2.7-1.2.mga4 libgnutls-devel-3.2.7-1.2.mga4 from SRPMS: gnutls-3.1.16-1.2.mga3.src.rpm gnutls-3.2.7-1.2.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA3TOO
no poc found and not further information available for testing. Using this: https://bugs.mageia.org/show_bug.cgi?id=6911#c1 to show that handshake works with "gnutls-cli www.mageia.org" testing MGA3 32bit is working fine.
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
tested the same procedure with no findings on following systems - MGA3 64bit - MGA4 32bit - MGA4 64bit as long as there is no further test procedure, this update can be validated after the advisory is uploaded.
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA4-32-OK MGA3-64-OK MGA4-32-OK MGA-64-OK
Whiteboard: MGA3TOO MGA4-32-OK MGA3-64-OK MGA4-32-OK MGA-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
RedHat has issued an advisory for this: https://rhn.redhat.com/errata/RHSA-2014-0246.html Updating our advisory. Advisory: ======================== Updated gnutls packages fix security vulnerability: It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 http://gnutls.org/security.html#GNUTLS-SA-2014-2 https://rhn.redhat.com/errata/RHSA-2014-0246.html
Advisory uploaded, validating
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisoryCC: (none) => tmb, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0117.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/589237/
*** Bug 12940 has been marked as a duplicate of this bug. ***
CC: (none) => inster.css