From ${URL} : It was reported by the GnuTLS project that a ServerKeyExchange signature sent by the server is not verified to be in the acceptable by the client set of algorithms. That has the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can be exploited because a fraudulent signature has to be generated in real-time which is not known to be possible. However, since attacks can only get better it is recommended to update to a GnuTLS version which addresses the issue. References: http://www.gnutls.org/security.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
3.3.15 can be stabilized.
Arches, please test and mark stable: =net-libs/gnutls-3.3.15 Target keywords : "alpha amd64 arm hppa ia64 ppc64 sparc x86"
amd64 stable
CVE - requested http://www.openwall.com/lists/oss-security/2015/05/05/8
Stable for PPC64.
Stable for HPPA.
ia64 stable
ppc stable
x86 stable
alpha stable
arm stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Done, thanks.
This issue was resolved and addressed in GLSA 201506-03 at https://security.gentoo.org/glsa/201506-03 by GLSA coordinator Kristian Fiskerstrand (K_F).
