GnuTLS has issued advisories GNUTLS-SA-2017-1 and GNUTLS-SA-2017-2 on January 9:
The issues are fixed in 3.3.26 and 3.5.8.
CVEs have been assigned for the issues:
Upstream commits to fix the issues are linked in the message above.
Cauldron has already been updated to 3.5.8.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
gnutls in Mageia 5 is also affected by CVE-2016-8610, fixed in this commit:
SUSE has issued an advisory for this on January 27:
gnutls new security issues CVE-2017-533[4-7] =>
gnutls new security issues CVE-2017-533[4-7] and CVE-2016-8610Severity:
The updated packages fix security vulnerabilities:
Remote denial of service in SSL alert handling. (CVE-2016-8610)
In gnutls_x509_ext_import_proxy: if the language was set but the policy wasn't, that could lead to a double free. (CVE-2017-5334)
Decoding a specially crafted OpenPGP certificate could have lead to heap and stack overflows. (CVE-2017-5335, CVE-2017-5336 and CVE-2017-5337)
Updated packages in core/updates_testing:
Testing complete on Mageia 5 i586 and x86_64 using
Validating the update
advisory MGA5-64-OK MGA5-32-OKCC:
An update for this issue has been pushed to the Mageia Updates repository.