Bug 17467 - gnutls, nss, openssl new security issue CVE-2015-7575
Summary: gnutls, nss, openssl new security issue CVE-2015-7575
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/669862/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-08 17:43 CET by David Walser
Modified: 2016-01-08 17:44 CET (History)
0 users

See Also:
Source RPM: gnutls, nss, openssl
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-01-08 17:43:46 CET 
RedHat has issued advisories on January 7:
https://rhn.redhat.com/errata/RHSA-2016-0012.html
https://rhn.redhat.com/errata/RHSA-2016-0007.html
https://rhn.redhat.com/errata/RHSA-2016-0008.html

RedHat's bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1289841

points to an OpenSSL commit from 2013 that fixes it, so I believe we're not affected there.  OpenSSL also has no new security advisory this week.

For gnutls, the patch they applied:
https://git.centos.org/raw/rpms!gnutls.git/4c24d76d039c9447f3fc6d70a32377b19f238521/SOURCES!gnutls-3.3.8-md5-downgrade.patch

has already been applied upstream in the version of gnutls that we have.

For NSS, we have the newest version 3.21.  It was fixed, that I know of, in 3.20.2, which came out later, but I'm assuming it was also fixed in 3.21, otherwise they would have issued 3.21.1.  If I'm wrong, I'm sure they will fix it in 3.21.1, which will go out with our normal Firefox updates.

So, we're not affected by this.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-08 17:44:03 CET 
Just filed this to have it documented.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.