Fedora has issued an advisory on September 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/ The issue is fixed upstream in 3.4.15. Freeze push requested for Cauldron. Patch checked in to Mageia 5 SVN.
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated gnutls packages fix security vulnerabilities: An issue was found in certificate validation using OCSP responses caused by not verifying the serial length, which can falsely report a certificate as valid (GNUTLS-SA-2016-3). References: http://gnutls.org/security.html#GNUTLS-SA-2016-3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/ ======================== Updated packages in core/updates_testing: ======================== gnutls-3.2.21-1.2.mga5 libgnutls28-3.2.21-1.2.mga5 libgnutls-ssl27-3.2.21-1.2.mga5 libgnutls-xssl0-3.2.21-1.2.mga5 libgnutls-devel-3.2.21-1.2.mga5 from gnutls-3.2.21-1.2.mga5.src.rpm
Assignee: bugsquad => qa-bugs
MGA5-32 on Acer D620 Xfce No installation issues. Followed test as per bug 15504 Comment 14 at CLI: $ gnutls-cli www.mageia.org Processed 199 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '212.85.158.146:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: and more info ctrl-z out
CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK
This has been assigned CVE-2016-7444: http://openwall.com/lists/oss-security/2016/09/18/7 Advisory: ======================== Updated gnutls packages fix security vulnerabilities: An issue was found in certificate validation using OCSP responses caused by not verifying the serial length, which can falsely report a certificate as valid (CVE-2016-7444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7444 http://gnutls.org/security.html#GNUTLS-SA-2016-3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3BHGPTCK63HOFYABBXNV567ESVRRKQD/ http://openwall.com/lists/oss-security/2016/09/18/7
Summary: gnutls new security issue GNUTLS-SA-2016-3 => gnutls new security issue GNUTLS-SA-2016-3 (CVE-2016-7444)
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0326.html
Status: NEW => RESOLVEDResolution: (none) => FIXED