Hello, Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information (CVE-2013-1619). The gnutls package has been updated to latest 3.0.28 version to fix above problem. Please note that as gnutls 3.0.28 now requires libtasn1 >= 2.14, newer version of libtasn is also required to have gnutls 3.0.28 installed.
SRPM: gnutls-3.0.28-2.mga2.src.rpm ---------------------------------- gnutls lib64gnutls28 lib64gnutls-devel lib64gnutls-ssl27
Whiteboard: (none) => has_procedure
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6911#c1
So 2 SRPM's in this update. SRPM: libtasn1-2.14-1.mga2.src.rpm ---------------------------------- lib64tasn1_3 lib64tasn1-devel libtasn1-tools
Testing complete mga2 64 Confirmed the update requires the new lib64tasn1_3 # urpmi gnutls Marking gnutls as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") gnutls 3.0.28 2.mga2 x86_64 lib64gnutls-devel 3.0.28 2.mga2 x86_64 lib64gnutls-ssl27 3.0.28 2.mga2 x86_64 lib64gnutls28 3.0.28 2.mga2 x86_64 lib64tasn1-devel 2.14 1.mga2 x86_64 lib64tasn1_3 2.14 1.mga2 x86_64 74KB of additional disk space will be used. 1.8MB of packages will be retrieved. $ gnutls-cli www.mageia.org Processed 181 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '217.70.188.116:443'... - Peer's certificate is trusted - The hostname in the certificate matches 'www.mageia.org'. ..etc Depchecked OK. Added requires are provided in updates.
Whiteboard: has_procedure => has_procedure mga2-64-ok
Testing complete mga2 32 The versioned require is on libgnutls28 rather than gnutls itself, so gnutls doesn't require the correct lib version and fails. $ gnutls-cli www.mageia.org gnutls-cli: relocation error: gnutls-cli: symbol gnutls_certificate_set_x509_system_trust, version GNUTLS_3_0_0 not defined in file libgnutls.so.28 with link time reference After installing the updated libgnutls28 which requires the correct version of libtasn1_3 it works as expected. I don't see this as an issue as it should install the latest version found in updates when installed from scratch and we don't officially support cherrypicking updates. Confirmed libgnutls28 does require the updated libtasn1_3.
Validating Advisory -------- Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information (CVE-2013-1619). The gnutls package has been updated to latest 3.0.28 version to fix above problem. -------- SRPMs: gnutls-3.0.28-2.mga2.src.rpm libtasn1-2.14-1.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
OK, I've pushed gnutls-3.0.28-3.mga2 into updates_testing so that correct version of libs are required.
validation dropped due to rebuild of gnutls
Keywords: validated_update => (none)CC: (none) => tmbWhiteboard: has_procedure mga2-64-ok mga2-32-ok => has_procedure
Retesting mga2 64 complete # dcupdt Disabling Core Updates Testing # rpm -e --nodeps lib64tasn1_3 # urpmi lib64tasn1_3 Marking lib64tasn1_3 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list installing lib64tasn1_3-2.12-1.mga2.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ######################### 1/1: lib64tasn1_3 ######################### # urpmi gnutls To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") gnutls 3.0.28 3.mga2 x86_64 lib64gnutls-devel 3.0.28 3.mga2 x86_64 lib64gnutls-ssl27 3.0.28 3.mga2 x86_64 lib64gnutls28 3.0.28 3.mga2 x86_64 lib64tasn1_3 2.14 1.mga2 x86_64 16B of disk space will be freed. 1.8MB of packages will be retrieved. Proceed with the installation of the 5 packages? (Y/n) y $ gnutls-cli www.mageia.org Processed 181 CA certificate(s). Resolving 'www.mageia.org'... Connecting to '217.70.188.116:443'... - Peer's certificate is trusted - The hostname in the certificate matches 'www.mageia.org'. ...etc
Completed mga2 32 ReValidating Advisory -------- Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information (CVE-2013-1619). The gnutls package has been updated to latest 3.0.28 version to fix above problem. -------- SRPMs: gnutls-3.0.28-3.mga2.src.rpm libtasn1-2.14-1.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0050
Status: NEW => RESOLVEDResolution: (none) => FIXED