24590 – gnutls new security issue CVE-2019-3829

Bug 24590 - gnutls new security issue CVE-2019-3829

Summary: gnutls new security issue CVE-2019-3829

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-03-29 13:49 CET by David Walser
Modified:	2019-04-05 20:14 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	gnutls-3.5.13-1.2.mga6.src.rpm
CVE:	CVE-2019-3829
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-03-29 13:49:44 CET

In upstream GNUTLS-SA-2019-03-27 at:
https://www.gnutls.org/security-new.html

CVE-2019-3829 affects Mageia 6.  That, and CVE-2019-3836, were fixed in Cauldron by updating to 3.6.7.

CVE-2019-3829 is:
https://gitlab.com/gnutls/gnutls/issues/694

Comment 1 Marja Van Waes 2019-03-30 08:47:48 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero, smelror

Comment 2 David Walser 2019-03-31 21:59:38 CEST

Fedora has issued an advisory for this today (March 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WRSOL66LHP4SD3Y2ECJDOGT4K663ECDU/

Comment 3 Nicolas Salguero 2019-04-01 14:41:46 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. (CVE-2019-3829)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829
https://www.gnutls.org/security-new.html
https://gitlab.com/gnutls/gnutls/issues/694
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WRSOL66LHP4SD3Y2ECJDOGT4K663ECDU/
========================

Updated packages in core/updates_testing:
========================
gnutls-3.5.13-1.3.mga6
lib(64)gnutls30-3.5.13-1.3.mga6
lib(64)gnutlsxx28-3.5.13-1.3.mga6
lib(64)gnutls-devel-3.5.13-1.3.mga6

from SRPMS:
gnutls-3.5.13-1.3.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-3829

Comment 4 Herman Viaene 2019-04-02 10:54:34 CEST

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 23682 Comment 4 : I installed xombrero, point it to google, enter "apod" in the search field and select the astronomical picture of the day.
Looks OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-04-02 21:20:26 CEST

MGA6-64 Plasma on AMD/nvidia-based system

Performed the same tests as Herman, because they again sounded really easy. Looked at several Pictures of the Day, and all looked nice. No issues.

This one looks good. Validating. Suggested advisory in Comment 3.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-04-04 15:05:02 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-04-05 20:14:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0134.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.