Bug 30112 - gnutls new security issue CVE-2021-4209
Summary: gnutls new security issue CVE-2021-4209
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-03 22:09 CET by David Walser
Modified: 2022-03-12 04:08 CET (History)
4 users (show)

See Also:
Source RPM: gnutls-3.6.15-3.1.mga8.src.rpm
CVE: CVE-2021-4209
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-03 22:09:48 CET 
SUSE has issued an advisory on March 2:
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010333.html

The issue is fixed upstream in 3.7.3.
David Walser 2022-03-03 22:11:30 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-03-04 19:34:51 CET 
openSUSE has issued an advisory for this on March 3:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RI5PFWTNO6UDYFJ3HLMKV5PQYAJ77E46/
Comment 2 Nicolas Salguero 2022-03-05 09:28:07 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Null pointer dereference in MD_UPDATE. (CVE-2021-4209)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4209
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010333.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RI5PFWTNO6UDYFJ3HLMKV5PQYAJ77E46/
========================

Updated packages in core/updates_testing:
========================
gnutls-3.6.15-3.2.mga8
lib(64)gnutls30-3.6.15-3.2.mga8
lib(64)gnutlsxx28-3.6.15-3.2.mga8
lib(64)gnutls-devel-3.6.15-3.2.mga8

from SRPM:
gnutls-3.6.15-3.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-4209
Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream => (none)

Comment 3 PC LX 2022-03-11 17:55:38 CET 
Installed and tested without issue.

This update has been in use for several days know and several core packages depend on gnutls. Along with the normal workstation usage, I also did some explicit tests with aria2c (a gnutls user) and nothing broke so this update gets an OK from me.

Please unOK if you find any issues.



System: Mageia 8, x86_654, Intel CPU.



$ uname -a
Linux marte 5.15.25-desktop-1.mga8 #1 SMP Wed Feb 23 19:39:18 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gnutls.*3.6.15 | sort
gnutls-3.6.15-3.2.mga8
lib64gnutls30-3.6.15-3.2.mga8
libgnutls30-3.6.15-3.1.mga8

Whiteboard: (none) => MGA8-64-OK
CC: (none) => mageia

Comment 4 Dave Hodgins 2022-03-11 21:46:05 CET 
No regressions noticed. Validating the update. Advisory committed to svn.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Mageia Robot 2022-03-12 04:08:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0098.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.