Reference: https://www.openwall.com/lists/oss-security/2026/02/09/6
CVE: (none) => CVE-2026-1584, CVE-2025-14831Status comment: (none) => Fixed upstream in 3.8.12Whiteboard: (none) => MGA9TOOSource RPM: (none) => gnutls-3.8.11-1.mga10.src.rpm, gnutls-3.8.4-1.3.mga9.src.rpmFlags: (none) => affects_mga9+
For Cauldron, I asked for a freeze move.
Version: Cauldron => 9Flags: affects_mga9+ => (none)Source RPM: gnutls-3.8.11-1.mga10.src.rpm, gnutls-3.8.4-1.3.mga9.src.rpm => gnutls-3.8.4-1.3.mga9.src.rpmWhiteboard: MGA9TOO => (none)
A version update. Nicolas did Cauldron, just M9 here.
Assignee: bugsquad => pkg-bugs
CVE-2026-1584 only affected version 3.8.11.
Summary: gnutls new security issues CVE-2026-1584 and CVE-2025-14831 => gnutls new security issue CVE-2025-14831CVE: CVE-2026-1584, CVE-2025-14831 => CVE-2025-14831
Debian has issued an advisory on February 18: https://lwn.net/Articles/1059287/
Suggested advisory: ======================== The updated packages fix a security vulnerability: Denial of service via excessive resource consumption during certificate verification. (CVE-2025-14831) References: https://www.openwall.com/lists/oss-security/2026/02/09/6 https://lists.debian.org/debian-security-announce/2026/msg00049.html ======================== Updated packages in core/updates_testing: ======================== gnutls-3.8.4-1.4.mga9 lib(64)gnutls-dane0-3.8.4-1.4.mga9 lib(64)gnutls-devel-3.8.4-1.4.mga9 lib(64)gnutls30-3.8.4-1.4.mga9 lib(64)gnutlsxx30-3.8.4-1.4.mga9 from SRPM: gnutls-3.8.4-1.4.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 3.8.12 => (none)
MGA9-32, Xfce, old AMD The following 4 packages are going to be installed: - gnutls-3.8.4-1.4.mga9.i586 - libgnutls-dane0-3.8.4-1.4.mga9.i586 - libgnutls30-3.8.4-1.4.mga9.i586 - libunbound8-1.24.2-1.mga9.i586 5.5MB of additional disk space will be used. ------------- $ gnutls-cli --version gnutls-cli 3.8.4 $ gnutls-cli mageia.org Processed 148 CA certificate(s). Resolving 'mageia.org:443'... Connecting to '163.172.148.228:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=*.mageia.org', issuer `CN=GandiCert,O=Gandi SAS,C=FR', serial 0x0d11ffdfb0bc71e08558c89b798f6c25, RSA key 2048 bits, signed using RSA-SHA256, activated `2026-02-09 00:00:00 UTC', expires `2027-02-10 23:59:59 UTC', pin-sha256="amejU2S4c5q4CuN/+JagClxZANryM7QWbyZnrbMiUfk=" Public Key ID: sha1:fa0c97bf17e95b7dd169e776de09c3ea7707a71f sha256:6a67a35364b8739ab80ae37ff896a00a5c5900daf233b4166f2667adb32251f9 Public Key PIN: pin-sha256:amejU2S4c5q4CuN/+JagClxZANryM7QWbyZnrbMiUfk= - Certificate[1] info: - subject `CN=GandiCert,O=Gandi SAS,C=FR', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0b9b5e7f6773ae8c643221657cee67c1, RSA key 4096 bits, signed using RSA-SHA256, activated `2024-04-17 00:00:00 UTC', expires `2034-04-16 23:59:59 UTC', pin-sha256="0dflgFofXiuLoZvgRpP8N9xrpDTgZ7c1xbmTjIxym7o=" - Status: The certificate is trusted. - Description: (TLS1.3-X.509)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Session ID: F3:89:62:AA:85:3B:48:DD:5C:AB:44:EE:36:76:8D:24:CE:DA:AD:E1:B7:4E:18:6C:EA:B2:87:29:93:78:90:65 - Options: - Handshake was completed - Simple Client Mode: Seems to be working as expected in 32bit.
Whiteboard: (none) => MGA9-32-OKCC: (none) => brtians1
Keywords: (none) => advisory
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Repeated tests from bug 31558 with similar results. $ gnutls-cli mach1 Processed 148 CA certificate(s). Resolving 'mach1:443'... Connecting to '192.168.2.1:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x482e13e372b44e0164b0efd132cee74262277aeb, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-09-09 19:08:50 UTC', expires `2024-09-08 19:08:50 UTC', pin-sha256="Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg=" Public Key ID: sha1:d295190ddc1fc2e135055509549036fa1f763df4 sha256:223df86a236ebbd2f39a1b184b79c18d5bbe0af57f58b6b8641cec0b43b12488 Public Key PIN: pin-sha256:Ij34aiNuu9LzmhsYS3nBjVu+CvV/WLa4ZBzsC0OxJIg= - Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. $ gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done pointing the browser to http://localhost:5556/ and got some binary data as an answer. at the CLI got this feedback: * Accepted connection from IPv4 127.0.0.1 port 41382 on Fri Feb 20 11:47:05 202 |<0x1a17adb0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. * Accepted connection from IPv4 127.0.0.1 port 41392 on Fri Feb 20 11:47:09 202 |<0x1a17adb0>| Received record packet of unknown type 71 Error in handshake: An unexpected TLS packet was received. Same as in ^previous update, so good to go.
Flags: (none) => test_passed_mga9_64+Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0045.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED