Slackware has issued an advisory on March 19: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.365688 There are few details but it seems that: - those issues are fixed in version 3.8.4 - Mageia 9 is also affected
CVE: (none) => CVE-2024-28834, CVE-2024-28835Source RPM: (none) => gnutls-3.8.3-1.mga10.src.rpmWhiteboard: (none) => MGA9TOO
Unsure who to assign to. NicolasS committed 3.8.2, 3.8.3 for security fixes, is implictly CC"d.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => fixed in version 3.8.4
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. (CVE-2024-28834) A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. (CVE-2024-28835) References: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.365688 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.4-1.mga9 lib(64)gnutls-dane0-3.8.4-1.mga9 lib(64)gnutls-devel-3.8.4-1.mga9 lib(64)gnutls30-3.8.4-1.mga9 lib(64)gnutlsxx30-3.8.4-1.mga9 from SRPM: gnutls-3.8.4-1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: gnutls-3.8.3-1.mga10.src.rpm => gnutls-3.8.0-2.2.mga9.src.rpmStatus comment: fixed in version 3.8.4 => (none)Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9
CC: (none) => mageia
Keywords: (none) => advisory
RH Test install current versions and update LC_ALL=C urpmi gnutls lib64gnutls-dane0 lib64gnutls-devel lib64gnutls30 lib64gnutlsxx30 Package lib64gnutls30-3.8.0-2.2.mga9.x86_64 is already installed Marking lib64gnutls30 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") lib64python3-devel 3.10.11 1.1.mga9 x86_64 lib64python3.10-testsuite 3.10.11 1.1.mga9 x86_64 (recommended) python3-docs 3.10.11 1.1.mga9 noarch (recommended) (medium "Core Release (distrib1)") lib64event-devel 2.1.12 4.mga9 x86_64 lib64ffi-devel 3.4.4 1.mga9 x86_64 lib64gmp-devel 6.2.1 3.mga9 x86_64 lib64mnl-devel 1.0.5 1.mga9 x86_64 lib64nettle-devel 3.9 1.mga9 x86_64 lib64p11-kit-devel 0.24.1 2.mga9 x86_64 lib64tasn1-devel 4.19.0 1.mga9 x86_64 libtasn1-tools 4.19.0 1.mga9 x86_64 (medium "Core Updates (distrib3)") gnutls 3.8.0 2.2.mga9 x86_64 lib64gnutls-dane0 3.8.0 2.2.mga9 x86_64 lib64gnutls-devel 3.8.0 2.2.mga9 x86_64 lib64gnutlsxx30 3.8.0 2.2.mga9 x86_64 lib64unbound-devel 1.19.1 1.mga9 x86_64 155MB of additional disk space will be used. 22MB of packages will be retrieved. Proceed with the installation of the 16 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tasn1-devel-4.19.0-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64event-devel-2.1.12-4.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64mnl-devel-1.0.5-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64gmp-devel-6.2.1-3.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64p11-kit-devel-0.24.1-2.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/libtasn1-tools-4.19.0-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nettle-devel-3.9-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64ffi-devel-3.4.4-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutls-devel-3.8.0-2.2.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64unbound-devel-1.19.1-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/gnutls-3.8.0-2.2.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/libtasn1-tools-4.19.0-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64p11-kit-devel-0.24.1-2.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/python3-docs-3.10.11-1.1.mga9.noarch.rpm /var/cache/urpmi/rpms/lib64unbound-devel-1.19.1-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64event-devel-2.1.12-4.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64nettle-devel-3.9-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64python3-devel-3.10.11-1.1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64gmp-devel-6.2.1-3.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64mnl-devel-1.0.5-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64tasn1-devel-4.19.0-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64ffi-devel-3.4.4-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/gnutls-3.8.0-2.2.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64gnutls-devel-3.8.0-2.2.mga9.x86_64.rpm Preparing... ###################################################################################### 1/16: lib64gnutls-dane0 ###################################################################################### 2/16: lib64gmp-devel ###################################################################################### 3/16: lib64nettle-devel ###################################################################################### 4/16: gnutls ###################################################################################### 5/16: lib64ffi-devel ###################################################################################### 6/16: lib64p11-kit-devel ###################################################################################### 7/16: lib64gnutlsxx30 ###################################################################################### 8/16: lib64mnl-devel ###################################################################################### 9/16: lib64python3.10-testsuite ###################################################################################### 10/16: lib64event-devel ###################################################################################### 11/16: python3-docs ###################################################################################### 12/16: lib64python3-devel ###################################################################################### 13/16: lib64unbound-devel ###################################################################################### 14/16: libtasn1-tools ###################################################################################### 15/16: lib64tasn1-devel ###################################################################################### 16/16: lib64gnutls-devel ###################################################################################### LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64gnutls30-3.8.4-1.mga9.x86_64.rpm lib64gnutls-dane0-3.8.4-1.mga9.x86_64.rpm lib64gnutls-devel-3.8.4-1.mga9.x86_64.rpm lib64gnutlsxx30-3.8.4-1.mga9.x86_64.rpm gnutls-3.8.4-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/5: lib64gnutls30 ###################################################################################### 2/5: lib64gnutls-dane0 ###################################################################################### 3/5: gnutls ###################################################################################### 4/5: lib64gnutlsxx30 ###################################################################################### 5/5: lib64gnutls-devel ###################################################################################### 1/5: removing lib64gnutls-devel-3.8.0-2.2.mga9.x86_64 ###################################################################################### 2/5: removing gnutls-3.8.0-2.2.mga9.x86_64 ###################################################################################### 3/5: removing lib64gnutls-dane0-3.8.0-2.2.mga9.x86_64 ###################################################################################### 4/5: removing lib64gnutlsxx30-3.8.0-2.2.mga9.x86_64 ###################################################################################### 5/5: removing lib64gnutls30-3.8.0-2.2.mga9.x86_64 ###################################################################################### writing /var/lib/rpm/installed-through-deps.list
Not understand how reproduce test of previous rounds gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done This is what I see if I point the browser to http://localhost:5556/ � gnutls-cli mageia.org Looks well for me
Installed and tested without issues. This updated has been in use for over two days without issues. Tested gnutls-serv as HTTP server with valid certificate and several HTTP clients. HTTP server with valid certificate; gnutls-serv --sni-hostname=example.com --http --x509keyfile=example.com.key --x509certfile=example.com.cert --port=8080 HTTP clients: gnutls-cli, sslscan, curl, wget, aria2c, firefox, chromium. All OK. Server System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep -P 'gnutls.*3\.8\.4' | sort gnutls-3.8.4-1.mga9 lib64gnutls30-3.8.4-1.mga9 lib64gnutls-dane0-3.8.4-1.mga9 Workstation System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep 'gnutls.*3\.8\.4' | sort gnutls-3.8.4-1.mga9 lib64gnutls30-3.8.4-1.mga9 lib64gnutls-dane0-3.8.4-1.mga9 libgnutls30-3.8.4-1.mga9
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0089.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED