GNUTLS-SA-2008-1 reported vulnerabilities have been patched in GnuTLS version 2.2.4 released today.
Thanks for reporting. Maintainer, please bump.
Should be dealt with quickly; there are three seperate remotely triggerable (prior to authentication) crash bugs fixed in this release, and at least two of them will affect almost any server application using GnuTLS. Should update to 2.2.5 rather than 2.2.4 - it fixes an issue introduced when fixing these vulnerabilities.
It is currently unclear whether these bugs could be exploited to execute arbitrary code, so until that is clear, we should handle it as A1. dragonheart, since alonbl unfortunately is retiring, can you bump this package?
https://www.cert.fi/haavoittuvuudet/advisory-gnutls.html
+gnutls-2.2.3.ebuild
(In reply to comment #5) > +gnutls-2.2.3.ebuild > er - +gnutls-2.2.5.ebuild :-)
Which should go stable, then?
Arches, please test and mark stable: =net-libs/gnutls-2.2.5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Might help to put a copy in distfiles-local quickly.
(In reply to comment #9) > Might help to put a copy in distfiles-local quickly. Done. The josefsson.org is incredibly slow.
Stable for HPPA.
guys, there's somthing wrong with the configure options in gnutls-2.2.x! ---snip---- local myconf use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)" ---snip---- --disable-lzo should be --without-lzo, otherwise it's a UNRECOGNIZED option, and (use_enable lzo) should be (use_with lzo). Shall i open a new bug report? Just discovered the issue. FranKY
alpha/ia64/sparc/x86 stable. Franz, please open a new bug.
Thanks for spotting this Franz: ./configure --prefix=/usr --host=powerpc64-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --without-included-opencdk --with-zlib --with-lzo --enable-nls --disable-guile --disable-gtk-doc --enable-lzo --libdir=/usr/lib64 --build=powerpc64-unknown-linux-gnu configure: WARNING: Unrecognized options: --enable-lzo the error is from the redundant entrys --enable-lzo and --with-lzo. src_compile() logic is broken. it does first "use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"" and then "econf [...] $(use_with lzo)" I removed the redundant one after econf and changed use_enable to use_with in the bindist line. I also changed --disable-lzo to --without-lzo. ppc64 stable by the way.
amd64 stable
ppc stable
GLSA 200805-20
Fixed in release snapshot.