Bug 27257 - gnutls new security issue CVE-2020-24659
Summary: gnutls new security issue CVE-2020-24659
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-09-08 00:07 CEST by David Walser
Modified: 2020-09-11 19:39 CEST (History)
1 user (show)

See Also:
Source RPM: gnutls-3.6.14-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-09-08 00:07:33 CEST
GnuTLS 3.6.15 has been released on September 4, fixing a security issue:
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL
pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent
with unexpected timing, and then an invalid second handshake occurs. The crash
happens in the application's error handling path, where the gnutls_deinit
function is called after detecting a handshake failure (CVE-2020-24659).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24659
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
========================

Updated packages in core/updates_testing:
========================
libgnutls30-3.6.15-1.mga7
gnutls-3.6.15-1.mga7
gnutls-debuginfo-3.6.15-1.mga7
libgnutls-devel-3.6.15-1.mga7
libgnutlsxx28-3.6.15-1.mga7

from gnutls-3.6.15-1.mga7.src.rpm
Comment 1 Aurelien Oudelet 2020-09-08 14:59:52 CEST
urpmi gnutls

    $MIRRORLIST: media/core/updates_testing/gnutls-3.6.15-1.mga7.x86_64.rpm
installation de gnutls-3.6.15-1.mga7.x86_64.rpm depuis /var/cache/urpmi/rpms                                                                               
Préparation...                   ######################################################################
      1/1: gnutls                ######################################################################
      1/1: désinstallation de gnutls-3.6.14-1.mga7.x86_64
                                 ######################################################################

This correctly installs version from Updates_testing. No errors.
Don't really know what to do. Don't have webserver to test.
Comment 2 PC LX 2020-09-11 10:43:57 CEST
When selecting lib64gnutls30 or libgnutls30 packages for updating the following packages are pulled as well:
- lib64p11-kit0-0.23.21-1.mga7.x86_64
- libp11-kit0-0.23.21-1.mga7.i586
- p11-kit-0.23.21-1.mga7.x86_64

Is this correct? If yes, shouldn't these be a reference to those updated packages or a bug report for it?

CC: (none) => mageia

Comment 3 David Walser 2020-09-11 12:43:37 CEST
Those are part of the Firefox update that won't be pushed soon.  Can you install this update without them (maybe using QArepo)?
Comment 4 PC LX 2020-09-11 16:35:51 CEST
If I try to install without the p11 packages, urpmi complains about missing dependencies.
I'm not certain if it is a good idea to force install it.


$ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls
Marking libgnutls30 as manually installed, it won't be auto-orphaned
To satisfy dependencies, the following packages are going to be installed:
(test only, installation will not be actually done)
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  gnutls                         3.6.15       1.mga7        x86_64  
  lib64gnutls30                  3.6.15       1.mga7        x86_64  
  lib64p11-kit0                  0.23.21      1.mga7        x86_64  
  p11-kit                        0.23.21      1.mga7        x86_64  
(medium "Core 32bit Updates Testing")
  libgnutls30                    3.6.15       1.mga7        i586    
  libp11-kit0                    0.23.21      1.mga7        i586    
314KB of additional disk space will be used.
3.8MB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) n
$ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls --skip /p11/
Some requested packages cannot be installed:
lib64gnutls30-3.6.15-1.mga7.x86_64 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0)(64bit))
libgnutls30-3.6.15-1.mga7.i586 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0))
Continue installation anyway? (Y/n) n
$ rpm -qa | grep p11
lib64p11-kit0-0.23.15-1.mga7
p11-kit-0.23.15-1.mga7
libp11-kit0-0.23.15-1.mga7
Comment 5 David Walser 2020-09-11 19:39:22 CEST
Ok thanks.  I might have to get a sysadmin to remove it and then rebuild it.

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.