Mageia Bugzilla – Bug 6911
gnutls missing update for CVE-2012-0390
Last modified: 2012-08-06 18:58:22 CEST
OpenSuSE issued an advisory on March 9:
This is fixed in the version of gnutls we have in Mageia 2.
Patched package uploaded for Mageia 1.
Updated gnutls packages fix security vulnerability:
The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain
error-handling code only if there is a specific relationship between a
padding length and the ciphertext size, which makes it easier for remote
attackers to recover partial plaintext via a timing side-channel attack
Updated packages in core/updates_testing:
The only changed file is in the packages is /usr/lib/libgnutls.so.26.16.14 from libgnutls26 (i586), and also devel files from libgnutls-devel. gnutls itself is unchanged.
"gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.
No exploit found.
Testing complete Mageia 1 64.
See comment #0 for advisory and SRPM.