Debian has issued an advisory on March 15 (CVE-2015-0233): https://www.debian.org/security/2015/dsa-3191 The CVE-2015-0282 issue only affects version before 3.1.0, so we're not affected. More info on CVE-2015-0294 is here: https://bugzilla.redhat.com/show_bug.cgi?id=1196323 Backporting the patch and testcase are straightforward, which I did locally, as well as re-enabling the "make check" in the SPEC. It built, but in the test suite, it failed on the invalid-sig test case for this CVE, so I'm not sure what the deal is there. This is a low severity issue, so I wasn't necessarily planning on issuing an update for it now, but it'd be nice to get a working fix so that we can include it in our next update. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
It doesn't look like Debian included the test case when they backported the patch for 3.3.x in sid, so maybe the testcase is broken.
I have checked the CVE patch (but not the test) into Mageia 4 and Cauldron SVN.
I found this commit upstream in the 3.2.x branch, which I believe fixes the same issue: https://gitlab.com/gnutls/gnutls/commit/a8ac245ea13a533b9161f8c3ebd9560fe534a01f They did not add a test case in 3.2.x. The test case that was added in 3.3.x still fails. Maybe there's something about the test case that only works with 3.3.x. I've checked the patch I found into our SVN, replacing the previous one.
OpenSuSE has a PoC here: https://bugzilla.suse.com/show_bug.cgi?id=919938
An additional issue has been fixed upstream and designated GNUTLS-SA-2015-2: http://openwall.com/lists/oss-security/2015/05/05/8 It is not believed to be exploitable. They didn't check anything into the 3.2.x branch for it, but the patch from master applies with just a minor adjustment. It also builds fine. I've checked this patch into Mageia 4 and Cauldron SVN also.
(In reply to David Walser from comment #5) > An additional issue has been fixed upstream and designated GNUTLS-SA-2015-2: > http://openwall.com/lists/oss-security/2015/05/05/8 > > It is not believed to be exploitable. > > They didn't check anything into the 3.2.x branch for it, but the patch from > master applies with just a minor adjustment. It also builds fine. > > I've checked this patch into Mageia 4 and Cauldron SVN also. LWN reference for this one: http://lwn.net/Vulnerabilities/644509/
gnutls-3.2.21-3.mga6 uploaded for Cauldron. The two patches are now checked into Mageia 5 SVN.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3: http://openwall.com/lists/oss-security/2015/08/10/1 A CVE has been requested for the issue in the message above. Patched checked into Mageia 4, Mageia 5, and Cauldron SVN.
(In reply to David Walser from comment #8) > An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3: > http://openwall.com/lists/oss-security/2015/08/10/1 > > A CVE has been requested for the issue in the message above. > > Patched checked into Mageia 4, Mageia 5, and Cauldron SVN. LWN reference: http://lwn.net/Vulnerabilities/654283/ Debian has issued an advisory for this on August 12: https://www.debian.org/security/2015/dsa-3334
(In reply to David Walser from comment #9) > (In reply to David Walser from comment #8) > > An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3: > > http://openwall.com/lists/oss-security/2015/08/10/1 > > > > A CVE has been requested for the issue in the message above. > > > > Patched checked into Mageia 4, Mageia 5, and Cauldron SVN. > > LWN reference: > http://lwn.net/Vulnerabilities/654283/ > > Debian has issued an advisory for this on August 12: > https://www.debian.org/security/2015/dsa-3334 Finally assigned CVE-2015-6251: http://openwall.com/lists/oss-security/2015/08/17/6 GNUTLS-SA-2015-2 will apparently not be receiving a CVE. There are apparently build system issues, so I will push this update tomorrow (if I remember), but here's the advisory: Advisory: ======================== Updated gnutls packages fix security vulnerabilities: It was reported that GnuTLS does not check whether the two signature algorithms match on certificate import (CVE-2015-0294). Kurt Roeckx discovered that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free. A remote attacker can take advantage of this flaw by creating a specially crafted certificate that, when processed by an application compiled against GnuTLS, could cause the application to crash resulting in a denial of service (CVE-2015-6251). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6251 https://www.debian.org/security/2015/dsa-3191 https://www.debian.org/security/2015/dsa-3334
Summary: gnutls new security issue CVE-2015-0294 => gnutls new security issues CVE-2015-0294 and CVE-2015-6251
Patched packages uploaded for Mageia 4 and Mageia 5. Advisory in Comment 10. Updated packages in core/updates_testing: ======================== gnutls-3.2.7-1.7.mga4 libgnutls28-3.2.7-1.7.mga4 libgnutls-ssl27-3.2.7-1.7.mga4 libgnutls-xssl0-3.2.7-1.7.mga4 libgnutls-devel-3.2.7-1.7.mga4 gnutls-3.2.21-1.1.mga5 libgnutls28-3.2.21-1.1.mga5 libgnutls-ssl27-3.2.21-1.1.mga5 libgnutls-xssl0-3.2.21-1.1.mga5 libgnutls-devel-3.2.21-1.1.mga5 from SRPMS: gnutls-3.2.7-1.7.mga4.src.rpm gnutls-3.2.21-1.1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
In VirtualBox, M4, KDE, 32-bit Package(s) under test: gnutls libgnutls-ssl27 libgnutls28 default install of gnutls libgnutls-ssl27 & libgnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.7-1.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.2.7-1.4.mga4.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:........... ctrl-z out install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.7.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.7-1.7.mga4.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.2.7-1.7.mga4.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:.........
CC: (none) => wilcal.int
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: gnutls lib64gnutls-ssl27 lib64gnutls28 default install of gnutls lib64gnutls-ssl27 & lib64gnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.7-1.4.mga4.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:......... ctrl-z out install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.7-1.7.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.7-1.7.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.7-1.7.mga4.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:......... update successful
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: gnutls libgnutls-ssl27 libgnutls28 default install of gnutls libgnutls-ssl27 & libgnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.21-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.21-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.2.21-1.mga5.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:......... ctrl-z out install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.21-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgnutls-ssl27 Package libgnutls-ssl27-3.2.21-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgnutls28 Package libgnutls28-3.2.21-1.1.mga5.i586 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:......... update successful
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: gnutls lib64gnutls-ssl27 lib64gnutls28 default install of gnutls lib64gnutls-ssl27 & lib64gnutls28 [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.21-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.21-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.21-1.mga5.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:......... ctrl-z out install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing [root@localhost wilcal]# urpmi gnutls Package gnutls-3.2.21-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls-ssl27 Package lib64gnutls-ssl27-3.2.21-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64gnutls28 Package lib64gnutls28-3.2.21-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# gnutls-cli www.mageia.org Processed 205 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: update successful
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for mga4 32-bit & 64-bit Testing complete for mga5 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Before sysadmins push the update, someone from QA must upload the advisory to SVN.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0322.html
Status: NEW => RESOLVEDResolution: (none) => FIXED