Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548636

Summary: <net-libs/gnutls-3.3.15: MD5-based ServerKeyExchange signature accepted by default (GNUTLS-SA-2015-2)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1218426
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 546760    

Description Agostino Sarubbo gentoo-dev 2015-05-05 07:33:30 UTC 
From ${URL} :

It was reported by the GnuTLS project that a ServerKeyExchange signature
sent by the server is not verified to be in the acceptable by the client
set of algorithms. That has the effect of allowing MD5 signatures (which
are disabled by default) in the ServerKeyExchange message. It is not
believed that this bug can be exploited because a fraudulent signature has
to be generated in real-time which is not known to be possible. However,
since attacks can only get better it is recommended to update to a GnuTLS
version which addresses the issue.

References:
http://www.gnutls.org/security.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2015-05-05 07:35:49 UTC 
3.3.15 can be stabilized.
Comment 2 Agostino Sarubbo gentoo-dev 2015-05-06 09:16:55 UTC 
Arches, please test and mark stable:
=net-libs/gnutls-3.3.15
Target keywords : "alpha amd64 arm hppa ia64 ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-06 09:29:44 UTC 
amd64 stable
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-05-06 13:21:09 UTC 
CVE - requested
http://www.openwall.com/lists/oss-security/2015/05/05/8
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 04:46:07 UTC 
Stable for PPC64.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 05:52:21 UTC 
Stable for HPPA.
Comment 7 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:38:33 UTC 
ia64 stable
Comment 8 Pacho Ramos gentoo-dev 2015-05-15 10:56:54 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-19 07:25:49 UTC 
x86 stable
Comment 10 Matt Turner gentoo-dev 2015-05-20 06:07:08 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-05-27 13:02:17 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-06-17 08:52:14 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-06-21 03:13:55 UTC 
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2015-06-21 06:40:27 UTC 
Done, thanks.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-06-22 21:41:24 UTC 
This issue was resolved and addressed in
 GLSA 201506-03 at https://security.gentoo.org/glsa/201506-03
by GLSA coordinator Kristian Fiskerstrand (K_F).