Bug 222823 - net-libs/gnutls < 2.2.5 Multiple vulnerabilities GNUTLS-SA-2008-1 (CVE-2008-{1948,1949,1950})
|
Bug#:
222823
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: critical
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: arttuv69@gmail.com
|
|
Component: Vulnerabilities
|
|
|
URL:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2803
|
|
Summary: net-libs/gnutls < 2.2.5 Multiple vulnerabilities GNUTLS-SA-2008-1 (CVE-2008-{1948,1949,1950})
|
|
Keywords:
|
|
Status Whiteboard: A1 [glsa]
|
|
Opened: 2008-05-19 15:22 0000
|
GNUTLS-SA-2008-1 reported vulnerabilities have been patched in GnuTLS version
2.2.4 released today.
Thanks for reporting.
Maintainer, please bump.
Should be dealt with quickly; there are three seperate remotely triggerable
(prior to authentication) crash bugs fixed in this release, and at least two of
them will affect almost any server application using GnuTLS. Should update to
2.2.5 rather than 2.2.4 - it fixes an issue introduced when fixing these
vulnerabilities.
It is currently unclear whether these bugs could be exploited to execute
arbitrary code, so until that is clear, we should handle it as A1.
dragonheart, since alonbl unfortunately is retiring, can you bump this package?
(In reply to comment #5)
> +gnutls-2.2.3.ebuild
>
er - +gnutls-2.2.5.ebuild :-)
Which should go stable, then?
Arches, please test and mark stable:
=net-libs/gnutls-2.2.5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"
Might help to put a copy in distfiles-local quickly.
(In reply to comment #9)
> Might help to put a copy in distfiles-local quickly.
Done. The josefsson.org is incredibly slow.
guys, there's somthing wrong with the configure options in gnutls-2.2.x!
---snip----
local myconf
use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"
---snip----
--disable-lzo should be --without-lzo, otherwise it's a UNRECOGNIZED option,
and (use_enable lzo) should be (use_with lzo).
Shall i open a new bug report? Just discovered the issue.
FranKY
alpha/ia64/sparc/x86 stable.
Franz, please open a new bug.
Thanks for spotting this Franz:
./configure --prefix=/usr --host=powerpc64-unknown-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --without-included-opencdk
--with-zlib --with-lzo --enable-nls --disable-guile --disable-gtk-doc
--enable-lzo --libdir=/usr/lib64 --build=powerpc64-unknown-linux-gnu
configure: WARNING: Unrecognized options: --enable-lzo
the error is from the redundant entrys --enable-lzo and --with-lzo.
src_compile() logic is broken. it does first "use bindist &&
myconf="--disable-lzo" || myconf="$(use_enable lzo)"" and then "econf [...]
$(use_with lzo)"
I removed the redundant one after econf and changed use_enable to use_with in
the bindist line. I also changed --disable-lzo to --without-lzo.
ppc64 stable by the way.
Fixed in release snapshot.
