RedHat has issued an advisory on November 12: https://rhn.redhat.com/errata/RHSA-2014-1846.html Freeze push request sent for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated gnutls packages fix security vulnerability: An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application (CVE-2014-8564). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564 http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 https://rhn.redhat.com/errata/RHSA-2014-1846.html ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.4.mga3 libgnutls28-3.1.16-1.4.mga3 libgnutls-ssl27-3.1.16-1.4.mga3 libgnutls-xssl0-3.1.16-1.4.mga3 libgnutls-devel-3.1.16-1.4.mga3 gnutls-3.2.7-1.4.mga4 libgnutls28-3.2.7-1.4.mga4 libgnutls-ssl27-3.2.7-1.4.mga4 libgnutls-xssl0-3.2.7-1.4.mga4 libgnutls-devel-3.2.7-1.4.mga4 from SRPMS: gnutls-3.1.16-1.4.mga3.src.rpm gnutls-3.2.7-1.4.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
In VirtualBox, M4, KDE, 32-bit Package(s) under test: gnutls libgnutls-ssl27 default install of gnutls & libgnutls-ssl27 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.7-1.3.mga4.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:........... install gnutls & libgnutls-ssl27 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.7-1.4.mga4.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: gnutls lib64gnutls-ssl27 lib64gnutls28 default install of gnutls lib64gnutls-ssl27 & lib64gnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.7-1.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.7-1.3.mga4.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:........... install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:....... Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK
Advisory uploaded.
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK advisory
Thanks for the testing hit William. I have a local HTTPS webserver with our own cacert that we use, so using a local copy of that cacert file, I did something like this: gnutls-cli --x509cafile=cacert.pem lms.example.net and then after it verified the cert I typed: GET / HTTP/1.0 (with two hard returns after) and it printed the contents of the index page. It always finishes with: *** Fatal error: The TLS connection was non-properly terminated. *** Server has terminated the connection abnormally. I'm not sure why, but it's not a regression. Unfortunately gnutls-cli doesn't respect the proxy environment variables, so I can't test it against www.mageia.org from here, but it should already be signed by a trusted CA, so the command William used plus the GET string I showed should be enough to get Mageia.org's index page successfully. Testing complete Mageia 3 i586.
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory
In VirtualBox, M3, KDE, 32-bit Package(s) under test: gnutls libgnutls-ssl27 libgnutls28 default install of gnutls libgnutls-ssl27 & libgnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.1.16-1.3.mga3.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.1.16-1.3.mga3.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.1.16-1.3.mga3.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:........... install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.1.16-1.4.mga3.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.1.16-1.4.mga3.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.1.16-1.4.mga3.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 198 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '2a02:2178:2:7::2:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:........ Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 64-bit Package(s) under test: gnutls lib64gnutls-ssl27 lib64gnutls28 default install of gnutls lib64gnutls-ssl27 & lib64gnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.1.16-1.3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.1.16-1.3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.1.16-1.3.mga3.x86_64 is already installed [wilcal@localhost ~]$ gnutls-cli google.com Processed 198 CA certificate(s). Resolving 'google.com'... Connecting to '2607:f8b0:4000:800::1005:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info:........ install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.1.16-1.4.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.1.16-1.4.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.1.16-1.4.mga3.x86_64 is already installed [root@localhost wilcal]# gnutls-cli google.com Processed 198 CA certificate(s). Resolving 'google.com'... Connecting to '2607:f8b0:4000:809::1001:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info:........ Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0458.html
Status: NEW => RESOLVEDResolution: (none) => FIXED