Bug 26444 - gnutls new security issue CVE-2020-11501
Summary: gnutls new security issue CVE-2020-11501
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-06 22:34 CEST by David Walser
Modified: 2020-04-15 12:13 CEST (History)
5 users (show)

See Also:
Source RPM: gnutls-3.6.7-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-04-06 22:34:05 CEST
Debian has issued an advisory on April 4:
https://www.debian.org/security/2020/dsa-4652

The issue is fixed upstream in 3.6.13.
Comment 1 Lewis Smith 2020-04-07 09:56:24 CEST
Assigning to you, DavidG, as having committed this previously. No registered maintainer.
It looks as if DavidW has just committed 3.6.13.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2020-04-07 14:41:11 CEST
Done for mga7!
Comment 3 David Walser 2020-04-07 15:41:23 CEST
Advisory:
========================

Updated gnutls packages fix security vulnerability:

A flaw was reported in the DTLS protocol implementation in GnuTLS. The DTLS
client would not contribute any randomness to the DTLS negotiation, breaking
the security guarantees of the DTLS protocol (CVE-2020-11501).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501
https://www.debian.org/security/2020/dsa-4652
========================

Updated packages in core/updates_testing:
========================
gnutls-3.6.7-1.1.mga7
libgnutls30-3.6.7-1.1.mga7
libgnutlsxx28-3.6.7-1.1.mga7
libgnutls-devel-3.6.7-1.1.mga7

from gnutls-3.6.7-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 4 David Walser 2020-04-08 01:42:45 CEST
Ubuntu has issued an advisory for this today (April 7):
https://usn.ubuntu.com/4322-1/

Severity: normal => major

Comment 5 Herman Viaene 2020-04-08 14:29:25 CEST
MGA7-64 Plasma on Lenovo B50
No installation isssues.
Ref to previous bug is no help, the xombrero package isn't anymore in the repos.
Testing it own commands:
$ gnutls-cli <mywebsever>
Processed 156 CA certificate(s).
Resolving '<mywebsever>:443'...
Connecting to '192.168.2.1:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x00e3ee000a2bf5d3c8, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-12-29 13:19:18 UTC', expires `2020-12-28 13:19:18 UTC', pin-sha256="lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo="
        Public Key ID:
                sha1:d7f2bb1732d7012d2db625f09f249e45fe4b222d
                sha256:9504d6ed728bacfb878addcaa5d87eb534982bf1e62fe86bee00729af117a44a
        Public Key PIN:
                pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

That's fair enough.

$ gnutls-serv 
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

pointed the browser to http://localhost:5556/ and got answer, but only some binary data.
Good enough to prove the thing works.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-04-09 00:04:43 CEST
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-15 10:42:43 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-04-15 12:13:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0168.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.