Those issues were announced here: https://www.openwall.com/lists/oss-security/2025/07/11/3
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 3.8.10CVE: (none) => CVE-2025-6395, CVE-2025-32989, CVE-2025-32988, CVE-2025-32990Source RPM: (none) => gnutls-3.8.9-3.mga10.src.rpm, gnutls-3.8.4-1.1.mga9.src.rpm
David has just put v3.8.10 in Cauldron, so Mageia 9 remains to do. Different packagers for this pkg, so assigning globally.
Assignee: bugsquad => pkg-bugsWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
Suggested advisory: ======================== The updated packages fix security vulnerabilities: null pointer dereference in _gnutls_figure_common_ciphersuite(). (CVE-2025-6395) Vulnerability in gnutls othername san export. (CVE-2025-32988) Vulnerability in gnutls sct extension parsing. (CVE-2025-32989) Vulnerability in gnutls certtool template parsing. (CVE-2025-32990) References: https://www.openwall.com/lists/oss-security/2025/07/11/3 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.4-1.2.mga9 lib(64)gnutls-dane0-3.8.4-1.2.mga9 lib(64)gnutls-devel-3.8.4-1.2.mga9 lib(64)gnutls30-3.8.4-1.2.mga9 lib(64)gnutlsxx30-3.8.4-1.2.mga9 from SRPM: gnutls-3.8.4-1.2.mga9.src.rpm
Status comment: Fixed upstream in 3.8.10 => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDSource RPM: gnutls-3.8.9-3.mga10.src.rpm, gnutls-3.8.4-1.1.mga9.src.rpm => gnutls-3.8.4-1.1.mga9.src.rpm
CC: (none) => mageia
Keywords: (none) => advisorySource RPM: gnutls-3.8.4-1.1.mga9.src.rpm => gnutls-3.8.4-1.1.mga9
Installed gnutls Ran gnutls-cli utility - worked certtool - worked danetool - responded $ gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH" Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done * Accepted connection from IPv4 127.0.0.1 port 41350 on Sat Aug 30 15:10:29 202 |<0x4f4adb0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. * Accepted connection from IPv4 127.0.0.1 port 41364 on Sat Aug 30 15:10:29 202 |<0x4f4adb0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. Seems to be working for me.
CC: (none) => brtians1
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Repeated tests from bug 31558 with similar results. $ gnutls-cli mach1 Processed 146 CA certificate(s). Resolving 'mach1:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x482e13e372b44e0164b0efd132cee74262277aeb, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-09-09 19:08:50 UTC', expires `2024-09-08 19:08:50 UTC', pin-sha256="Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg=" Public Key ID: sha1:d295190ddc1fc2e135055509549036fa1f763df4 sha256:223df86a236ebbd2f39a1b184b79c18d5bbe0af57f58b6b8641cec0b43b12488 Public Key PIN: pin-sha256:Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done pointing the browser to http://localhost:5556/ and got some binary data as an answer. at the CLI got this feedback: * Accepted connection from IPv4 127.0.0.1 port 59808 on Sun Aug 31 10:56:15 202 |<0xd940db0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. * Accepted connection from IPv4 127.0.0.1 port 37310 on Sun Aug 31 10:56:17 202 |<0xd940db0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. Thus same as in previous update, let it go.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Installed and tested without issues. Tested for 4 days on a workstation, and a server. Tested: - certtool --text --verbose --certificate-info --infile=/tmp/cert.pem - certtool --text --verbose --key-info --infile=/tmp/key.pem - gnutls-serv --http --x509keyfile=/tmp/key.pem --x509certfile=/tmp/cert.pem and - sslscan --http localhost:5556 - curl -ik https://localhost:5556/ - several programs that use gnutls (e.g. tigervnc, systemd, samba, gnupg, aria2) All OK. System workstation: Mageia 9, x96_64, Plasma DE, LXQt DE, Xorg, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.103-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Aug 28 20:21:17 UTC 2025 x86_64 GNU/Linux $ rpm -qa | grep -P 'gnutls.*(3\.8\.4)' | sort gnutls-3.8.4-1.2.mga9 lib64gnutls30-3.8.4-1.2.mga9 lib64gnutls-dane0-3.8.4-1.2.mga9 lib64gnutls-devel-3.8.4-1.2.mga9 lib64gnutlsxx30-3.8.4-1.2.mga9 libgnutls30-3.8.4-1.2.mga9 System server: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.103-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Aug 28 21:01:30 UTC 2025 x86_64 GNU/Linux $ rpm -qa | grep -P 'gnutls.*(3\.8\.4)' | sort gnutls-3.8.4-1.1.mga9 lib64gnutls30-3.8.4-1.1.mga9 lib64gnutls-dane0-3.8.4-1.1.mga9
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0225.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED