Bug 9038 - [Update Request] Update gnutls to 3.0.28 to fix CVE-2013-1619
: [Update Request] Update gnutls to 3.0.28 to fix CVE-2013-1619
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.gnutls.org/security.html#G...
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-11 13:04 CET by Funda Wang
Modified: 2013-02-13 00:59 CET (History)
2 users (show)

See Also:
Source RPM: gnutls-3.0.28-2.mga2
CVE:
Status comment:


Attachments

Description Funda Wang 2013-02-11 13:04:05 CET
Hello,

Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above problem.

Please note that as gnutls 3.0.28 now requires libtasn1 >= 2.14, newer version of libtasn is also required to have gnutls 3.0.28 installed.
Comment 1 claire robinson 2013-02-11 15:02:21 CET
SRPM: gnutls-3.0.28-2.mga2.src.rpm                                                                                          
----------------------------------
gnutls
lib64gnutls28
lib64gnutls-devel
lib64gnutls-ssl27
Comment 2 claire robinson 2013-02-11 15:03:14 CET
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1
Comment 3 claire robinson 2013-02-11 15:12:28 CET
So 2 SRPM's in this update.

SRPM: libtasn1-2.14-1.mga2.src.rpm
----------------------------------
lib64tasn1_3
lib64tasn1-devel
libtasn1-tools
Comment 4 claire robinson 2013-02-11 15:18:20 CET
Testing complete mga2 64

Confirmed the update requires the new lib64tasn1_3

# urpmi gnutls
Marking gnutls as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  gnutls                         3.0.28       2.mga2        x86_64
  lib64gnutls-devel              3.0.28       2.mga2        x86_64
  lib64gnutls-ssl27              3.0.28       2.mga2        x86_64
  lib64gnutls28                  3.0.28       2.mga2        x86_64
  lib64tasn1-devel               2.14         1.mga2        x86_64
  lib64tasn1_3                   2.14         1.mga2        x86_64
74KB of additional disk space will be used.
1.8MB of packages will be retrieved.

$ gnutls-cli www.mageia.org
Processed 181 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '217.70.188.116:443'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'www.mageia.org'.
..etc


Depchecked OK. Added requires are provided in updates.
Comment 5 claire robinson 2013-02-11 18:28:23 CET
Testing complete mga2 32

The versioned require is on libgnutls28 rather than gnutls itself, so gnutls doesn't require the correct lib version and fails.


$ gnutls-cli www.mageia.org
gnutls-cli: relocation error: gnutls-cli: symbol gnutls_certificate_set_x509_system_trust, version GNUTLS_3_0_0 not defined in file libgnutls.so.28 with link time reference

After installing the updated libgnutls28 which requires the correct version of libtasn1_3 it works as expected.

I don't see this as an issue as it should install the latest version found in updates when installed from scratch and we don't officially support cherrypicking updates.

Confirmed libgnutls28 does require the updated libtasn1_3.
Comment 6 claire robinson 2013-02-11 18:31:04 CET
Validating

Advisory
--------
Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of
the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using
timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above
problem.
--------

SRPMs:
gnutls-3.0.28-2.mga2.src.rpm 
libtasn1-2.14-1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 7 Funda Wang 2013-02-12 08:46:41 CET
OK, I've pushed gnutls-3.0.28-3.mga2 into updates_testing so that correct version of libs are required.
Comment 8 Thomas Backlund 2013-02-12 10:46:36 CET
validation dropped due to rebuild of gnutls
Comment 9 claire robinson 2013-02-12 14:09:25 CET
Retesting mga2 64 complete

# dcupdt
Disabling Core Updates Testing
# rpm -e --nodeps lib64tasn1_3
# urpmi lib64tasn1_3
Marking lib64tasn1_3 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
installing lib64tasn1_3-2.12-1.mga2.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #########################
      1/1: lib64tasn1_3          #########################

# urpmi gnutls
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  gnutls                         3.0.28       3.mga2        x86_64
  lib64gnutls-devel              3.0.28       3.mga2        x86_64
  lib64gnutls-ssl27              3.0.28       3.mga2        x86_64
  lib64gnutls28                  3.0.28       3.mga2        x86_64
  lib64tasn1_3                   2.14         1.mga2        x86_64
16B of disk space will be freed.
1.8MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) y

$ gnutls-cli www.mageia.org
Processed 181 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '217.70.188.116:443'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'www.mageia.org'.
...etc
Comment 10 claire robinson 2013-02-12 14:28:59 CET
Completed mga2 32

ReValidating

Advisory
--------
Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of
the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using
timing information (CVE-2013-1619).

The gnutls package has been updated to latest 3.0.28 version to fix above
problem.
--------

SRPMs:
gnutls-3.0.28-3.mga2.src.rpm 
libtasn1-2.14-1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 11 Thomas Backlund 2013-02-13 00:59:49 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0050

Note You need to log in before you can comment on or make changes to this bug.