it's related to the latest openssl vulnerability. Secunia does not explicitly mention 1.2.10 as vulnerable but i guess it is. http://secunia.com/advisories/21937 : Software: GnuTLS 1.x CVE reference: CVE-2006-4790 (Secunia mirror) Description: A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forge PKCS #1 v1.5 signatures signed with that key. The vulnerability has been reported in version 1.4.2. Other versions may also be affected. Note: The vulnerability is related to SA21709. Solution: Update to version 1.4.4. Provided and/or discovered by: Originally reported by Daniel Bleichenbacher. The vendor credits Yutaka Oiwa, Kazukuni Kobaraan, and Hajime Watanabe for reporting a variant in GnuTLS. Original Advisory: http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001205.html
Good news: added gnutls-1.4.4 at will also need to keyword libtasn1-0.3.5 a revdep-rebuild will also be required. Bad news: both these are currently masked. I haven't had time to fully test them against the many applications that do use these versions. I'm going to push an email on -dev for early testing. My suggest plan of action is to: cc the arches - and get them to do their stuff. email -dev and hope most applications that misbehave with the new gnutls can be quickly corrected. once everything is stable - unmask libtasn1 and gnutls
if you don't like the unmasking plan in comment #1 feel free to tell me. Email to -dev sent. If all else fails I'll look at a backport.
I'm fine with gnutls-1.4.4 being marked stable on ppc64. it seems to 'just work'. waiting for libtasn1-0.3.5 being unmasked.
(In reply to comment #3) > I'm fine with gnutls-1.4.4 being marked stable on ppc64. it seems to 'just > work'. I've rebuilt a full kde ~x86 system without error and have reports that gnome and ~amd64 work fine. I'm considering there a low chance of breakage however it just hasn't had the same level of exposure being masked. Thanks for testing. > waiting for libtasn1-0.3.5 being unmasked. I'm planning on unmasking both together so people only need to revdep-rebuild once. Both versions have a different library version from their previous versions.
Things are looking good so far on SPARC. One system rebuilt against gnutls-1.4.4 with no compile-time issues. Two more in progress.
Accepting bug.
I'm pretty happy now - gnutls-1.4.4-r1 fixes all broken stuff I know about. Hope everyone is happy making libtasn1-0.3.5 and gnutls-1.4.4-r1 stable but masked so people only need to revdep-rebuild once. note: 1.4.4 has a bug that will makeing rebuilding against somethings fail - (http://bugs.gentoo.org/show_bug.cgi?id=147970#c3)
On my production system I emerged version 1.4.4 some weeks ago and did revdep-rebuild. It works fine. Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.5 Last Sync: Wed, 20 Sep 2006 05:20:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: 0.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache confcache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal howl icq idn imagemagick imap imlib input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kernel_linux ldap leim libg++ linguas_de lirc lirc_devices_atiusb lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nosendmail nowebdav nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xfs xine xml xorg xosd xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
These are packages which need to go to stable on x86 for gnutls-1.4.4: =net-libs/gnutls-1.4.4 (also package.mask-ed) =sys-devel/autoconf-2.60 =sys-devel/autoconf-wrapper-3.2-r2 =sys-devel/m4-1.4.6 =dev-libs/libtasn1-0.3.4 (also package.mask-ed)
(In reply to comment #9) > These are packages which need to go to stable on x86 for gnutls-1.4.4: > > =net-libs/gnutls-1.4.4 (also package.mask-ed) > =sys-devel/autoconf-2.60 > =sys-devel/autoconf-wrapper-3.2-r2 > =sys-devel/m4-1.4.6 > =dev-libs/libtasn1-0.3.4 (also package.mask-ed) > =dev-libs/libtasn1-0.3.5 of course, sorry
OK, looks like I missed addition of gnutls-1.4.4-r1 yesterday, which doesn't need autoconf-2.60 anymore. Marked that one stable on x86, along with libtasn1-0.3.5, since it JustWorks(tm).
I've got 4 SPARC boxes (2 stable, 2 testing) that are looking good on gnutls-1.4.4*. Haven't run into any apps that appear to have compile time errors with it.
ppc64 stable, too.
fyi I've unmasked early. Wanted to catch people who were maybe revdep-rebuilding because of openssl. I've had no reports of failures (yet) and lots of reports of working (yay).
ppc, hppa stable
dev-libs/libtasn1-0.3.5 - emerges fine on amd64 - passes collision-test - passes multilib-strict - works net-libs/gnutls-1.4.4-r1 - emerges fine on amd64 - passes collision-test - passes multilib-strict - works Portage 2.1.1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-ck1 x86_64) ================================================================= System uname: 2.6.18-ck1 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.5 Last Sync: Thu, 21 Sep 2006 14:50:02 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.6-r1, 2.0.29 dev-lang/python: 2.4.3-r3 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO8859-1" LC_ALL="en_US.ISO8859-1" LINGUAS="" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa amr avi berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam firefox fortran gdbm gif glut gnutls gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly offensive ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection reiserfs rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx vim-with-x vorbis wmp x264 xfs xine xinerama xml xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS
both stable on amd64
Stable on Alpha + ia64.
Stable on SPARC
GLSA 200609-15 arm, mips, s390, sh don't forget to mark stable to benifit from the GLSA.
