OpenSuSE issued an advisory on March 9: http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html This is fixed in the version of gnutls we have in Mageia 2. Patched package uploaded for Mageia 1. Advisory: ======================== Updated gnutls packages fix security vulnerability: The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack (CVE-2012-0390). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0390 http://lists.opensuse.org/opensuse-updates/2012-03/msg00010.html ======================== Updated packages in core/updates_testing: ======================== gnutls-2.10.5-2.3.mga1 libgnutls26-2.10.5-2.3.mga1 libgnutls-devel-2.10.5-2.3.mga1 from gnutls-2.10.5-2.3.mga1.src.rpm
The only changed file is in the packages is /usr/lib/libgnutls.so.26.16.14 from libgnutls26 (i586), and also devel files from libgnutls-devel. gnutls itself is unchanged. "gnutls-cli www.mageia.org" shows handshake works. Then type anything and get a 400 error from mageia server, it shows the connection works.
CC: (none) => stormiWhiteboard: (none) => has_procedure MGA1-32-OK
No exploit found.
Testing complete Mageia 1 64. Update validated. See comment #0 for advisory and SRPM.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK
CC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0202
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED