Debian has issued an advisory on February 17: https://lists.debian.org/debian-security-announce/2025/msg00029.html
Fix: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (included in 3.8.9)
Source RPM: (none) => gnutls-3.8.7-1.mga10.src.rpm, gnutls-3.8.4-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-12243Status comment: (none) => Fixed upstream in 3.8.9 and patch available from upstream
Ubuntu has issued an advisory on February 20: https://ubuntu.com/security/notices/USN-7281-1
Suggested advisory: ======================== The updated packages fix a security vulnerability: Gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos. (CVE-2024-12243) References: https://lists.debian.org/debian-security-announce/2025/msg00029.html https://ubuntu.com/security/notices/USN-7281-1 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.4-1.1.mga9 lib(64)gnutls-dane0-3.8.4-1.1.mga9 lib(64)gnutls-devel-3.8.4-1.1.mga9 lib(64)gnutls30-3.8.4-1.1.mga9 lib(64)gnutlsxx30-3.8.4-1.1.mga9 from SRPM: gnutls-3.8.4-1.1.mga9.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 9Assignee: bugsquad => qa-bugsSource RPM: gnutls-3.8.7-1.mga10.src.rpm, gnutls-3.8.4-1.mga9.src.rpm => gnutls-3.8.4-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Status comment: Fixed upstream in 3.8.9 and patch available from upstream => (none)
Keywords: (none) => advisory
CC: (none) => mageia
RH x86_64 I wonder if we are affected certtool -i --infile ./CVE-2024-12243-cert.pem X.509 Certificate Information: Version: 3 Serial Number (hex): 2148e1887530712819cced86a6b796ec3e5f6351 Issuer: CN=Root CA,O=Root CA,C=CN Validity: Not Before: Tue May 28 08:02:27 UTC 2024 Not After: Wed May 28 08:02:27 UTC 2025 Subject: CN=Root CA,O=Root CA,C=CN Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:a3:6d:03:34:e4:7e:f6:9b:50:07:65:6a:cf:b0:8c 71:13:0d:3b:99:73:75:a0:9f:f3:ac:66:78:c6:53:ba aa:db:e2:84:d4:06:60:50:36:b4:39:34:ea:ae:0b:26 e2:25:f0:79:87:df:42:2c:21:28:23:78:7e:7a:95:7b 6c:8a:c2:9f:00:da:4c:4f:00:0b:99:c7:37:fb:ad:ff 65:64:d3:b4:fa:cc:14:14:c0:19:cf:67:c2:50:ee:67 e4:36:9a:36:c0:48:ea:57:d7:87:1d:82:4a:3d:6d:8e 4e:9c:3e:48:c9:79:18:2f:9b:ad:b2:a8:0a:66:57:09 51:cd:9d:5b:88:3e:58:1c:41:5b:37:48:cf:17:01:10 da:d2:7a:f0:4e:90:eb:84:8b:72:74:cc:88:03:9c:94 9c:66:50:a2:ea:e5:d6:be:a4:34:0a:92:76:c0:ff:e9 ac:be:e6:76:c2:c8:d3:ee:e8:61:19:d9:df:22:35:86 2e:31:1e:d7:14:4b:7c:32:9d:a4:2b:a2:6b:86:c3:10 a9:ae:0e:8f:3b:ba:07:39:ff:bd:b3:2a:13:c1:b4:21 12:b1:36:27:7e:f6:45:06:51:fe:f4:0a:18:4a:f0:87 c4:7e:b6:66:e3:52:1d:62:bf:51:91:f2:6c:9c:74:0b fd Exponent (bits 24): 01:00:01 Extensions: Subject Alternative Name (not critical): DNSname: 1example.com Never overload the cpu as described, will test again after update
RH x86_64 installing gnutls-3.8.4-1.1.mga9.x86_64.rpm lib64gnutls30-3.8.4-1.1.mga9.x86_64.rpm lib64gnutls-dane0-3.8.4-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64gnutls30 ################################################################################################## 2/3: lib64gnutls-dane0 ################################################################################################## 3/3: gnutls ################################################################################################## 1/3: removing gnutls-3.8.4-1.mga9.x86_64 ################################################################################################## 2/3: removing lib64gnutls-dane0-3.8.4-1.mga9.x86_64 ################################################################################################## 3/3: removing lib64gnutls30-3.8.4-1.mga9.x86_64 ################################################################################################## certtool -i --infile ./CVE-2024-12243-cert.pem Produce the information a few more fast
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Repeated tests from bug 31558 with similar results. $ gnutls-cli mach1 Processed 150 CA certificate(s). Resolving 'mach1:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x482e13e372b44e0164b0efd132cee74262277aeb, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-09-09 19:08:50 UTC', expires `2024-09-08 19:08:50 UTC', pin-sha256="Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg=" Public Key ID: sha1:d295190ddc1fc2e135055509549036fa1f763df4 sha256:223df86a236ebbd2f39a1b184b79c18d5bbe0af57f58b6b8641cec0b43b12488 Public Key PIN: pin-sha256:Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done pointing the browser to http://localhost:5556/ and got some binary data as an answer. at the CLI got this feedback: * Accepted connection from IPv4 127.0.0.1 port 52114 on Tue Feb 25 11:11:16 202 |<0x3d480db0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. * Accepted connection from IPv4 127.0.0.1 port 52118 on Tue Feb 25 11:11:17 202 |<0x3d480db0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. Inline withprevious update, so OK for me.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0071.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED