GnuTLS has issued advisories GNUTLS-SA-2017-1 and GNUTLS-SA-2017-2 on January 9: http://www.gnutls.org/security.html The issues are fixed in 3.3.26 and 3.5.8. CVEs have been assigned for the issues: http://openwall.com/lists/oss-security/2017/01/11/4 Upstream commits to fix the issues are linked in the message above. Cauldron has already been updated to 3.5.8.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
URL: (none) => https://lwn.net/Vulnerabilities/711464/
gnutls in Mageia 5 is also affected by CVE-2016-8610, fixed in this commit: https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e SUSE has issued an advisory for this on January 27: https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00063.html
Summary: gnutls new security issues CVE-2017-533[4-7] => gnutls new security issues CVE-2017-533[4-7] and CVE-2016-8610Severity: normal => major
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Remote denial of service in SSL alert handling. (CVE-2016-8610) In gnutls_x509_ext_import_proxy: if the language was set but the policy wasn't, that could lead to a double free. (CVE-2017-5334) Decoding a specially crafted OpenPGP certificate could have lead to heap and stack overflows. (CVE-2017-5335, CVE-2017-5336 and CVE-2017-5337) References: https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00063.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610 http://www.gnutls.org/security.html http://openwall.com/lists/oss-security/2017/01/11/4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.2.21-1.3.mga5 lib(64)gnutls28-3.2.21-1.3.mga5 lib(64)gnutls-ssl27-3.2.21-1.3.mga5 lib(64)gnutls-xssl0-3.2.21-1.3.mga5 lib(64)gnutls-devel-3.2.21-1.3.mga5 from SRPMS: gnutls-3.2.21-1.3.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete on Mageia 5 i586 and x86_64 using https://bugs.mageia.org/show_bug.cgi?id=6911#c1 Validating the update
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0053.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED