Debian has issued an advisory on April 4: https://www.debian.org/security/2020/dsa-4652 The issue is fixed upstream in 3.6.13.
Assigning to you, DavidG, as having committed this previously. No registered maintainer. It looks as if DavidW has just committed 3.6.13.
Assignee: bugsquad => geiger.david68210
Done for mga7!
Advisory: ======================== Updated gnutls packages fix security vulnerability: A flaw was reported in the DTLS protocol implementation in GnuTLS. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol (CVE-2020-11501). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501 https://www.debian.org/security/2020/dsa-4652 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.6.7-1.1.mga7 libgnutls30-3.6.7-1.1.mga7 libgnutlsxx28-3.6.7-1.1.mga7 libgnutls-devel-3.6.7-1.1.mga7 from gnutls-3.6.7-1.1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
Ubuntu has issued an advisory for this today (April 7): https://usn.ubuntu.com/4322-1/
Severity: normal => major
MGA7-64 Plasma on Lenovo B50 No installation isssues. Ref to previous bug is no help, the xombrero package isn't anymore in the repos. Testing it own commands: $ gnutls-cli <mywebsever> Processed 156 CA certificate(s). Resolving '<mywebsever>:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x00e3ee000a2bf5d3c8, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-12-29 13:19:18 UTC', expires `2020-12-28 13:19:18 UTC', pin-sha256="lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo=" Public Key ID: sha1:d7f2bb1732d7012d2db625f09f249e45fe4b222d sha256:9504d6ed728bacfb878addcaa5d87eb534982bf1e62fe86bee00729af117a44a Public Key PIN: pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. That's fair enough. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done pointed the browser to http://localhost:5556/ and got answer, but only some binary data. Good enough to prove the thing works.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0168.html
Status: NEW => RESOLVEDResolution: (none) => FIXED