openSUSE has issued advisories on September 25 and October 1: https://lists.opensuse.org/opensuse-updates/2018-09/msg00147.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00000.html It looks like all are fixed with a merge request upstream: https://gitlab.com/gnutls/gnutls/merge_requests/657 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11, pterjan, smelror, tmb
Hi, Version 3.6.3 (Cauldron) already contains the fixes for those issues. Best regards, Nico.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. (CVE-2018-10844) It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. (CVE-2018-10845) A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets. (CVE-2018-10846) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846 https://lists.opensuse.org/opensuse-updates/2018-09/msg00147.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00000.html ======================== Updated packages in core/updates_testing: ======================== gnutls-3.5.13-1.1.mga6 lib(64)gnutls30-3.5.13-1.1.mga6 lib(64)gnutlsxx28-3.5.13-1.1.mga6 lib(64)gnutls-devel-3.5.13-1.1.mga6 from SRPMS: gnutls-3.5.13-1.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2018-10844, CVE-2018-10845, CVE-2018-10846
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 20417 Comment 11: I installed xombrero, point it to google, enter "apod" in the search field and select the astronomical picture of the day. Very nice.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Performed the same test with 64-bit, because it sounded really easy, and indeed it looks very nice. OK for 64-bit. Validating. Advisory in Comment 3.
Whiteboard: MGA6-32-OK => MGA6-64-OK MGA6-32-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0435.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED