GnuTLS 3.6.15 has been released on September 4, fixing a security issue: https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 Updated packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated gnutls packages fix security vulnerability: An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure (CVE-2020-24659). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24659 https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html ======================== Updated packages in core/updates_testing: ======================== libgnutls30-3.6.15-1.mga7 gnutls-3.6.15-1.mga7 gnutls-debuginfo-3.6.15-1.mga7 libgnutls-devel-3.6.15-1.mga7 libgnutlsxx28-3.6.15-1.mga7 from gnutls-3.6.15-1.mga7.src.rpm
urpmi gnutls $MIRRORLIST: media/core/updates_testing/gnutls-3.6.15-1.mga7.x86_64.rpm installation de gnutls-3.6.15-1.mga7.x86_64.rpm depuis /var/cache/urpmi/rpms Préparation... ###################################################################### 1/1: gnutls ###################################################################### 1/1: désinstallation de gnutls-3.6.14-1.mga7.x86_64 ###################################################################### This correctly installs version from Updates_testing. No errors. Don't really know what to do. Don't have webserver to test.
When selecting lib64gnutls30 or libgnutls30 packages for updating the following packages are pulled as well: - lib64p11-kit0-0.23.21-1.mga7.x86_64 - libp11-kit0-0.23.21-1.mga7.i586 - p11-kit-0.23.21-1.mga7.x86_64 Is this correct? If yes, shouldn't these be a reference to those updated packages or a bug report for it?
CC: (none) => mageia
Those are part of the Firefox update that won't be pushed soon. Can you install this update without them (maybe using QArepo)?
If I try to install without the p11 packages, urpmi complains about missing dependencies. I'm not certain if it is a good idea to force install it. $ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls Marking libgnutls30 as manually installed, it won't be auto-orphaned To satisfy dependencies, the following packages are going to be installed: (test only, installation will not be actually done) Package Version Release Arch (medium "Core Updates Testing") gnutls 3.6.15 1.mga7 x86_64 lib64gnutls30 3.6.15 1.mga7 x86_64 lib64p11-kit0 0.23.21 1.mga7 x86_64 p11-kit 0.23.21 1.mga7 x86_64 (medium "Core 32bit Updates Testing") libgnutls30 3.6.15 1.mga7 i586 libp11-kit0 0.23.21 1.mga7 i586 314KB of additional disk space will be used. 3.8MB of packages will be retrieved. Proceed with the installation of the 6 packages? (Y/n) n $ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls --skip /p11/ Some requested packages cannot be installed: lib64gnutls30-3.6.15-1.mga7.x86_64 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0)(64bit)) libgnutls30-3.6.15-1.mga7.i586 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0)) Continue installation anyway? (Y/n) n $ rpm -qa | grep p11 lib64p11-kit0-0.23.15-1.mga7 p11-kit-0.23.15-1.mga7 libp11-kit0-0.23.15-1.mga7
Ok thanks. I might have to get a sysadmin to remove it and then rebuild it.
Keywords: (none) => feedback
Ubuntu has issued an advisory for this on September 9: https://ubuntu.com/security/notices/USN-4491-1
Severity: normal => major
Interesting, rebuilt against the older p11-kit, there's a trust-store test in the test suite that fails. So it probably needs the newer p11-kit to work right. I'll just tie this to the Firefox update for now.
Depends on: (none) => 26711Assignee: qa-bugs => luigiwalserCC: (none) => qa-bugsKeywords: feedback => (none)
OK, packages rebuilt as they were. Firefox update will block this one.
Assignee: luigiwalser => qa-bugsCC: qa-bugs => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26444 for testing $ gnutls-cli mach1 Processed 138 CA certificate(s). Resolving 'mach1:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x009c76e40ae9a19b84, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-07-15 11:00:35 UTC', expires `2021-07-15 11:00:35 UTC', pin-sha256="DSA4O9kfPOBXvObbW12wXwCy75xx24jAHjrnOufbcWc=" Public Key ID: sha1:092b04ca202131dd0cc9f8eb6706e91e9bafc4cc sha256:0d20383bd91f3ce057bce6db5b5db05f00b2ef9c71db88c01e3ae73ae7db7167 Public Key PIN: pin-sha256:DSA4O9kfPOBXvObbW12wXwCy75xx24jAHjrnOufbcWc= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done ^CExiting via signal 2 [tester7@mach5 ~]$ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done pointed the browser to http://localhost:5556/ and got answer, but only some binary data. OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0379.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED