Fedora has issued an advisory on March 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/ The issues are fixed upstream in 3.7.1: https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10 Mageia 7 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 3.7.1
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28800
Variously maintained, so assigning globally. DavidG, a recent committer, is already CC'd.
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on March 25: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LUDG7BXPVVVALM2YUCJ2EKIRBHFXMY75/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. (CVE-2021-20231) A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. (CVE-2021-20232) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20231 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20232 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/ https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LUDG7BXPVVVALM2YUCJ2EKIRBHFXMY75/ ======================== Updated packages in 7/core/updates_testing: ======================== gnutls-3.6.15-1.1.mga7 lib(64)gnutls30-3.6.15-1.1.mga7 lib(64)gnutlsxx28-3.6.15-1.1.mga7 lib(64)gnutls-devel-3.6.15-1.1.mga7 from SRPM: gnutls-3.6.15-1.1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== gnutls-3.6.15-3.1.mga8 lib(64)gnutls30-3.6.15-3.1.mga8 lib(64)gnutlsxx28-3.6.15-3.1.mga8 lib(64)gnutls-devel-3.6.15-3.1.mga8 from SRPM: gnutls-3.6.15-3.1.mga8.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 3.7.1 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 27257 for testing $ gnutls-cli mach1 Processed 128 CA certificate(s). Resolving 'mach1:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x2b26b631453768c44ab1a432961d780848570faf, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-06 11:45:22 UTC', expires `2022-04-06 11:45:22 UTC', pin-sha256="pvMLJ62KvViacXZFR/MDuWiWbWIvZhmbUIkRWjW08nA=" Public Key ID: sha1:0a76055c20ef7bac21648d9fe12caa4928c82799 sha256:a6f30b27ad8abd589a71764547f303b968966d622f66199b5089115a35b4f270 Public Key PIN: pin-sha256:pvMLJ62KvViacXZFR/MDuWiWbWIvZhmbUIkRWjW08nA= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done pointing the browser to http://localhost:5556/ and got answer, but only some binary data. at the CLI got this feedback: * Accepted connection from IPv6 ::1 port 41876 on Fri Jun 25 13:42:29 202 |<0x1e54c70>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. Seems all the same as previousupdates, thus OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 27257 for testing Repeated tests from Comment 4 with same commands and ame results. OK thus
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CVE: (none) => CVE-2021-20231, CVE-2021-20232CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0291.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED