Fedora has issued an advisory on December 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/INZ7O52ANE3RPKUWDI3TKPVVHQNKHVKY/ The issue is fixed upstream in 3.6.5.
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11, smelror, thierry.vignaud, tmb
Suggested advisory: ======================== The updated packages fix a security vulnerability: A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. (CVE-2018-16868) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16868 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/INZ7O52ANE3RPKUWDI3TKPVVHQNKHVKY/ ======================== Updated packages in core/updates_testing: ======================== gnutls-3.5.13-1.2.mga6 lib(64)gnutls30-3.5.13-1.2.mga6 lib(64)gnutlsxx28-3.5.13-1.2.mga6 lib(64)gnutls-devel-3.5.13-1.2.mga6 from SRPMS: gnutls-3.5.13-1.2.mga6.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2018-16868Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Installed and tested without issues. Tested by normal system use (lots of packages depend on gnutls) and explicitly tested with various applications (e.g. aria2c, mplayer, gnutls-cli). There were no issues. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.100-desktop-1.mga6 #1 SMP Fri Feb 15 09:29:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep gnutls | sort gnutls-3.5.13-1.2.mga6 lib64glib-networking-gnutls-2.50.0-1.mga6 lib64gnutls30-3.5.13-1.2.mga6 libglib-networking-gnutls-2.50.0-1.mga6 libgnutls30-3.5.13-1.2.mga6 vlc-plugin-gnutls-3.0.5-2.mga6.tainted $ $ $ $ LANGUAGE=C strace -o aria2c.log aria2c 'https://example.com/' <SNIP> (OK):download completed. $ grep gnutls aria2c.log open("/usr/lib64/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3 stat("/etc/gnutls/default-priorities", 0x7ffe2ee1c4c0) = -1 ENOENT (No such file or directory) $ $ $ $ LANGUAGE=C strace -o mplayer.log mplayer 'https://example.com/example.mp4' <SNIP> Playing https://example.com/example.mp4. libavformat version 57.71.100 (external) [https @ 0x7f8246735840]HTTP error 404 Not Found Failed to open https://example.com/example.mp4. <SNIP> $ grep gnutls mplayer.log open("/lib64/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libgnutls.so.30.14.5", O_RDONLY) = 3 stat("/etc/gnutls/default-priorities", 0x7ffffb19ae80) = -1 ENOENT (No such file or directory) $ $ $ $ gnutls-cli example.com Processed 155 CA certificate(s). Resolving 'example.com:443'... Connecting to '93.184.216.34:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0fd078dd48f1a2bd4d0f2ba96b6038fe, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-28 00:00:00 UTC', expires `2020-12-02 12:00:00 UTC', pin-sha256="i9HalScvf6T/skE3/A7QOq5n5cTYs8UHNOEFCnkguSI="
Whiteboard: (none) => MGA6-64-OKCC: (none) => mageia
I'm going to call this enough. Validating. Suggested advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0103.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED