222823 2008-05-19 15:22 0000 net-libs/gnutls < 2.2.5 Multiple vulnerabilities GNUTLS-SA-2008-1 (CVE-2008-{1948,1949,1950}) 2008-05-22 10:12:38 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2803 A1 [glsa] P2 critical --- 1 arttuv69@gmail.com security@gentoo.org arm@gentoo.org corsair@gentoo.org crypto@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org special@dereferenced.net arttuv69@gmail.com 2008-05-19 15:22:17 0000 GNUTLS-SA-2008-1 reported vulnerabilities have been patched in GnuTLS version 2.2.4 released today. keytoaster@gentoo.org 2008-05-19 15:31:31 0000 Thanks for reporting. Maintainer, please bump. special@dereferenced.net 2008-05-20 00:01:39 0000 Should be dealt with quickly; there are three seperate remotely triggerable (prior to authentication) crash bugs fixed in this release, and at least two of them will affect almost any server application using GnuTLS. Should update to 2.2.5 rather than 2.2.4 - it fixes an issue introduced when fixing these vulnerabilities. rbu@gentoo.org 2008-05-20 02:18:23 0000 It is currently unclear whether these bugs could be exploited to execute arbitrary code, so until that is clear, we should handle it as A1. dragonheart, since alonbl unfortunately is retiring, can you bump this package? rbu@gentoo.org 2008-05-20 11:53:27 0000 https://www.cert.fi/haavoittuvuudet/advisory-gnutls.html dragonheart@gentoo.org 2008-05-20 13:41:34 0000 +gnutls-2.2.3.ebuild dragonheart@gentoo.org 2008-05-20 14:12:38 0000 (In reply to comment #5) > +gnutls-2.2.3.ebuild > er - +gnutls-2.2.5.ebuild :-) armin76@gentoo.org 2008-05-20 14:29:01 0000 Which should go stable, then? rbu@gentoo.org 2008-05-20 14:37:04 0000 Arches, please test and mark stable: =net-libs/gnutls-2.2.5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" jer@gentoo.org 2008-05-20 15:20:13 0000 Might help to put a copy in distfiles-local quickly. rbu@gentoo.org 2008-05-20 15:35:13 0000 (In reply to comment #9) > Might help to put a copy in distfiles-local quickly. Done. The josefsson.org is incredibly slow. jer@gentoo.org 2008-05-20 16:02:47 0000 Stable for HPPA. superfranky@gmx.at 2008-05-20 17:50:42 0000 guys, there's somthing wrong with the configure options in gnutls-2.2.x! ---snip---- local myconf use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)" ---snip---- --disable-lzo should be --without-lzo, otherwise it's a UNRECOGNIZED option, and (use_enable lzo) should be (use_with lzo). Shall i open a new bug report? Just discovered the issue. FranKY armin76@gentoo.org 2008-05-20 19:08:43 0000 alpha/ia64/sparc/x86 stable. Franz, please open a new bug. corsair@gentoo.org 2008-05-20 19:16:07 0000 Thanks for spotting this Franz: ./configure --prefix=/usr --host=powerpc64-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --without-included-opencdk --with-zlib --with-lzo --enable-nls --disable-guile --disable-gtk-doc --enable-lzo --libdir=/usr/lib64 --build=powerpc64-unknown-linux-gnu configure: WARNING: Unrecognized options: --enable-lzo the error is from the redundant entrys --enable-lzo and --with-lzo. src_compile() logic is broken. it does first "use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"" and then "econf [...] $(use_with lzo)" I removed the redundant one after econf and changed use_enable to use_with in the bindist line. I also changed --disable-lzo to --without-lzo. ppc64 stable by the way. rich0@gentoo.org 2008-05-21 15:11:53 0000 amd64 stable dertobi123@gentoo.org 2008-05-21 16:21:49 0000 ppc stable rbu@gentoo.org 2008-05-21 21:57:51 0000 GLSA 200805-20 pva@gentoo.org 2008-05-22 10:12:38 0000 Fixed in release snapshot.