Upstream has issued an advisory on March 6: http://www.gnutls.org/security.html#GNUTLS-SA-2017-3 3.2.x is likely affected as well.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Hi, Given that version 3.2.x has no upstream support and that version 3.3.x, which is maintained by upstream, is binary compatible with 3.2.x, maybe we should switch to 3.3.x rather than trying to backport security fixes into 3.2.x. What do you think about that idea? Best regards, Nico.
CC: (none) => nicolas.salguero
I've thought about that. I'm not sure it's that simple. I believe 3.3.x uses nettle3 and not nettle2.7, and I'm not sure it's fully source compatible.
According to http://www.linuxfromscratch.org/blfs/view/7.7/postlfs/gnutls.html, version 3.3.x also requires nettle2.7 (whereas version 3.4.x and above requires nettle3).
I also found a link which can be useful: http://www.gnutls.org/abi-tracker/timeline/gnutls/
GNUTLS-SA-2017-4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K6EJKC5TAT25O4NQDPIFZ5T4EYT6SX2B/ http://www.gnutls.org/security.html#GNUTLS-SA-2017-4 I'm not 100% sure if it affects Mageia 5.
Summary: gnutls new security issue GNUTLS-SA-2017-3 => gnutls new security issue GNUTLS-SA-2017-3 and CVE-2017-7507
Ubuntu has issued an advisory for this on June 13: https://www.ubuntu.com/usn/usn-3318-1/ It identifies CVE-2017-7869 as a subset of GNUTLS-SA-2017-3.
Debian advisory for CVE-2017-7507 from June 16: https://www.debian.org/security/2017/dsa-3884
URL: (none) => https://www.debian.org/security/2017/dsa-3884CC: (none) => zombie_ryushu
openSUSE has issued an advisory for these issues today (July 15): https://lists.opensuse.org/opensuse-updates/2017-07/msg00064.html They patch gnutls 3.2, which we have in Mageia 5, so I guess it's affected then.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. (CVE-2017-7869) GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application. (CVE-2017-7507) References: https://lists.opensuse.org/opensuse-updates/2017-07/msg00064.html http://www.gnutls.org/security.html#GNUTLS-SA-2017-3 http://www.gnutls.org/security.html#GNUTLS-SA-2017-4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7507 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.2.21-1.4.mga5 lib(64)gnutls28-3.2.21-1.4.mga5 lib(64)gnutls-ssl27-3.2.21-1.4.mga5 lib(64)gnutls-xssl0-3.2.21-1.4.mga5 lib(64)gnutls-devel-3.2.21-1.4.mga5 from SRPMS: gnutls-3.2.21-1.4.mga5.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2017-7869, CVE-2017-7507Source RPM: gnutls-3.2.21-1.2.mga5.src.rpm => gnutls-3.2.21-1.3.mga5.src.rpm
Wikipedia describes this package as "a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer...". There is some discussion amongst SuSE contributors about reproducing the security issue(s) within a fuzzing test environment using gdb and ASAN in the analysis. A test case is available. All this makes it unlikely that QA can do much to test this so we have to fall back to the clean install scenario. Note that mga6 has gnutls version 3.5.13-1. sugar-presence-service requires gnutls but is yet another development system. lib64gnutls28 is required by: abiword bitlbee claws-mail connman emacs empathy filezilla gtk-gnutella pacemaker prelude-manager prelude-tools qemu systemd taskserver tigervnc vino webkit2 weechat wine64 xen xfce4-mailwatch-plugin xombrero among many other applications and libraries but loading and running any of these is not going to guarantee that the gnutls components are exercized. Installed the updates: - gnutls-3.2.21-1.4.mga5.x86_64 - lib64gnutls-devel-3.2.21-1.4.mga5.x86_64 - lib64gnutls-ssl27-3.2.21-1.4.mga5.x86_64 - lib64gnutls-xssl0-3.2.21-1.4.mga5.x86_64 - lib64gnutls28-3.2.21-1.4.mga5.x86_64 Ran xombrero, a lightweight browser; typed apod into the search field then selected a site from the Duck'a'gogo list and brought up Astronomy Picture of the Day which was a Youtube video - that played fine. Passing this for x86_64.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
$ uname -a Linux localhost 4.4.74-desktop586-1.mga5 #1 SMP Mon Jun 26 07:48:29 UTC 2017 i686 i686 i686 GNU/Linux The following 4 packages are going to be installed: - gnutls-3.2.21-1.4.mga5.i586 - libgnutls-ssl27-3.2.21-1.4.mga5.i586 - libgnutls-xssl0-3.2.21-1.4.mga5.i586 - libgnutls28-3.2.21-1.4.mga5.i586 3.4MB of additional disk space will be used. 2MB of packages will be retrieved. Is it ok to continue? Installing xombrero The following 4 packages are going to be installed: - glib-networking-2.42.1-1.mga5.i586 - libbsd0-0.7.0-3.mga5.i586 - libglib-networking-2.42.1-1.mga5.i586 - xombrero-1.6.3-3.mga5.i586 887KB of additional disk space will be used. 349KB of packages will be retrieved. Is it ok to continue? I followed Len's lead as well as tried a few other websites using xombrero. Seems to be working to me.
CC: (none) => brtians1Whiteboard: MGA5-64-OK => MGA5-64-OK mga5-32-ok
Whiteboard: MGA5-64-OK mga5-32-ok => MGA5-64-OK mga5-32-ok advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0212.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED