Bug 6911 - gnutls missing update for CVE-2012-0390
: gnutls missing update for CVE-2012-0390
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/486067/
: has_procedure MGA1-32-OK MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-31 02:02 CEST by David Walser
Modified: 2012-08-06 18:58 CEST (History)
3 users (show)

See Also:
Source RPM: gnutls-2.10.5-2.2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-31 02:02:47 CEST
OpenSuSE issued an advisory on March 9:
http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html

This is fixed in the version of gnutls we have in Mageia 2.

Patched package uploaded for Mageia 1.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain
error-handling code only if there is a specific relationship between a
padding length and the ciphertext size, which makes it easier for remote
attackers to recover partial plaintext via a timing side-channel attack
(CVE-2012-0390).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0390
http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html
========================

Updated packages in core/updates_testing:
========================
gnutls-2.10.5-2.3.mga1
libgnutls26-2.10.5-2.3.mga1
libgnutls-devel-2.10.5-2.3.mga1

from gnutls-2.10.5-2.3.mga1.src.rpm
Comment 1 Samuel Verschelde 2012-08-05 16:59:34 CEST
The only changed file is in the packages is /usr/lib/libgnutls.so.26.16.14 from libgnutls26 (i586), and also devel files from libgnutls-devel. gnutls itself is unchanged.

"gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.
Comment 2 Samuel Verschelde 2012-08-05 17:14:35 CEST
No exploit found.
Comment 3 Samuel Verschelde 2012-08-05 20:21:49 CEST
Testing complete Mageia 1 64.

Update validated.

See comment #0 for advisory and SRPM.
Comment 4 Thomas Backlund 2012-08-06 18:58:22 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0202

Note You need to log in before you can comment on or make changes to this bug.