Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/01/19/3 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-0567, CVE-2024-0553Source RPM: (none) => gnutls-3.8.2-1.mga10.src.rpm
Another cure by version update. Assigning to DavidG who has done several recent commits; but bear in mind that ns80 actually did the latest one: you must be automatically CC'd as the bug author.
Assignee: bugsquad => geiger.david68210Status comment: (none) => 3.8.3 fixes CVE-2024-0553 & CVE-2024-0567
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. (CVE-2024-0567) A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. (CVE-2024-0553) References: https://www.openwall.com/lists/oss-security/2024/01/19/3 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.0-2.2.mga9 lib(64)gnutls30-3.8.0-2.2.mga9 lib(64)gnutls-dane0-3.8.0-2.2.mga9 lib(64)gnutls-devel-3.8.0-2.2.mga9 lib(64)gnutlsxx30-3.8.0-2.2.mga9 from SRPM: gnutls-3.8.0-2.2.mga9.src.rpm
Status comment: 3.8.3 fixes CVE-2024-0553 & CVE-2024-0567 => (none)Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Source RPM: gnutls-3.8.2-1.mga10.src.rpm => gnutls-3.8.0-2.1.mga9.src.rpm
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
CC: (none) => mageia
Installed gnutls Ran gnutls-cli utility - worked certtool - worked danetool - responded I'm approving this
Whiteboard: (none) => MGA9-64-OKCC: (none) => brtians1
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0031.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED