Fix: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (included in 3.8.9)

Source RPM: (none) => gnutls-3.8.7-1.mga10.src.rpm, gnutls-3.8.4-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-12243
Status comment: (none) => Fixed upstream in 3.8.9 and patch available from upstream

Ubuntu has issued an advisory on February 20:
https://ubuntu.com/security/notices/USN-7281-1

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos. (CVE-2024-12243)

References:
https://lists.debian.org/debian-security-announce/2025/msg00029.html
https://ubuntu.com/security/notices/USN-7281-1
========================

Updated packages in core/updates_testing:
========================
gnutls-3.8.4-1.1.mga9
lib(64)gnutls-dane0-3.8.4-1.1.mga9
lib(64)gnutls-devel-3.8.4-1.1.mga9
lib(64)gnutls30-3.8.4-1.1.mga9
lib(64)gnutlsxx30-3.8.4-1.1.mga9

from SRPM:
gnutls-3.8.4-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Source RPM: gnutls-3.8.7-1.mga10.src.rpm, gnutls-3.8.4-1.mga9.src.rpm => gnutls-3.8.4-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 3.8.9 and patch available from upstream => (none)

RH x86_64

I wonder if we are affected

certtool -i --infile ./CVE-2024-12243-cert.pem 
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 2148e1887530712819cced86a6b796ec3e5f6351
        Issuer: CN=Root CA,O=Root CA,C=CN
        Validity:
                Not Before: Tue May 28 08:02:27 UTC 2024
                Not After: Wed May 28 08:02:27 UTC 2025
        Subject: CN=Root CA,O=Root CA,C=CN
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:a3:6d:03:34:e4:7e:f6:9b:50:07:65:6a:cf:b0:8c
                        71:13:0d:3b:99:73:75:a0:9f:f3:ac:66:78:c6:53:ba
                        aa:db:e2:84:d4:06:60:50:36:b4:39:34:ea:ae:0b:26
                        e2:25:f0:79:87:df:42:2c:21:28:23:78:7e:7a:95:7b
                        6c:8a:c2:9f:00:da:4c:4f:00:0b:99:c7:37:fb:ad:ff
                        65:64:d3:b4:fa:cc:14:14:c0:19:cf:67:c2:50:ee:67
                        e4:36:9a:36:c0:48:ea:57:d7:87:1d:82:4a:3d:6d:8e
                        4e:9c:3e:48:c9:79:18:2f:9b:ad:b2:a8:0a:66:57:09
                        51:cd:9d:5b:88:3e:58:1c:41:5b:37:48:cf:17:01:10
                        da:d2:7a:f0:4e:90:eb:84:8b:72:74:cc:88:03:9c:94
                        9c:66:50:a2:ea:e5:d6:be:a4:34:0a:92:76:c0:ff:e9
                        ac:be:e6:76:c2:c8:d3:ee:e8:61:19:d9:df:22:35:86
                        2e:31:1e:d7:14:4b:7c:32:9d:a4:2b:a2:6b:86:c3:10
                        a9:ae:0e:8f:3b:ba:07:39:ff:bd:b3:2a:13:c1:b4:21
                        12:b1:36:27:7e:f6:45:06:51:fe:f4:0a:18:4a:f0:87
                        c4:7e:b6:66:e3:52:1d:62:bf:51:91:f2:6c:9c:74:0b
                        fd
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Subject Alternative Name (not critical):
                        DNSname: 1example.com

Never overload the cpu as described, will test again after update

RH x86_64

installing gnutls-3.8.4-1.1.mga9.x86_64.rpm lib64gnutls30-3.8.4-1.1.mga9.x86_64.rpm lib64gnutls-dane0-3.8.4-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64gnutls30         ##################################################################################################
      2/3: lib64gnutls-dane0     ##################################################################################################
      3/3: gnutls                ##################################################################################################
      1/3: removing gnutls-3.8.4-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64gnutls-dane0-3.8.4-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64gnutls30-3.8.4-1.mga9.x86_64
                                 ##################################################################################################

certtool -i --infile ./CVE-2024-12243-cert.pem
Produce the information a few more fast

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Repeated tests from bug 31558 with similar results.
$ gnutls-cli mach1
Processed 150 CA certificate(s).
Resolving 'mach1:443'...
Connecting to '192.168.2.1:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x482e13e372b44e0164b0efd132cee74262277aeb, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-09-09 19:08:50 UTC', expires `2024-09-08 19:08:50 UTC', pin-sha256="Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg="
        Public Key ID:
                sha1:d295190ddc1fc2e135055509549036fa1f763df4
                sha256:223df86a236ebbd2f39a1b184b79c18d5bbe0af57f58b6b8641cec0b43b12488
        Public Key PIN:
                pin-sha256:Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

$ gnutls-serv
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done
pointing the browser to http://localhost:5556/ and got some binary data as an answer.
at the CLI got this feedback:
* Accepted connection from IPv4 127.0.0.1 port 52114 on Tue Feb 25 11:11:16 202
|<0x3d480db0>| Received record packet of unknown type 71
Error in handshake: An unexpected TLS packet was received.

* Accepted connection from IPv4 127.0.0.1 port 52118 on Tue Feb 25 11:11:17 202
|<0x3d480db0>| Received record packet of unknown type 71
Error in handshake: An unexpected TLS packet was received.

Inline withprevious update, so OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0071.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED