588306 – (GNUTLS-SA-2016-2) <net-libs/gnutls-3.3.24: Certificate verification issue when used with the p11-kit trust module

Bug 588306 (GNUTLS-SA-2016-2) - <net-libs/gnutls-3.3.24: Certificate verification issue when used with the p11-kit trust module

Summary: <net-libs/gnutls-3.3.24: Certificate verification issue when used with the p1...

Status:	RESOLVED FIXED

Alias:	GNUTLS-SA-2016-2

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-07-08 08:24 UTC by Agostino Sarubbo
Modified:	2017-01-10 12:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-07-08 08:24:54 UTC

From ${URL} :

A vulnerability was discovered in gnutls that affects certificate verification when GnuTLS is used in combination with the p11-kit trust module. This 
issue affects gnutls 3.3.23, 3.4.12 and later versions.

External References:

http://gnutls.org/security.html#GNUTLS-SA-2016-2


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev

2016-07-08 08:50:22 UTC

Can be stabilize.

Comment 2 Agostino Sarubbo gentoo-dev

2016-07-08 10:53:10 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2016-07-08 10:53:36 UTC

x86 stable

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2016-07-09 10:39:28 UTC

Stable for HPPA PPC64.

Comment 5 Tobias Klausmann (RETIRED) gentoo-dev

2016-07-16 15:37:10 UTC

Stable on alpha.

Comment 6 Markus Meier gentoo-dev

2016-07-24 18:39:38 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-09-29 09:37:01 UTC

sparc stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-09-29 12:55:43 UTC

ppc stable 3.3.24-r1 in another bug

Comment 9 Agostino Sarubbo gentoo-dev

2016-09-29 13:18:50 UTC

(In reply to Agostino Sarubbo from comment #8)
> ppc stable 3.3.24-r1 in another bug

same for ia64

Comment 10 Alon Bar-Lev (RETIRED) gentoo-dev

2016-10-14 15:28:18 UTC

Cleaned up.

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 23:21:01 UTC

@ Maintainer(s): Can you confirm that Gentoo did not build gnutls with "--with-default-trust-store-pkcs11"?

Comment 12 Alon Bar-Lev (RETIRED) gentoo-dev

2017-01-10 05:25:39 UTC

(In reply to Thomas Deutschmann from comment #11)
> @ Maintainer(s): Can you confirm that Gentoo did not build gnutls with
> "--with-default-trust-store-pkcs11"?

We have never explicitly enabled that, and based on what I see from source it is not enabled by default.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-10 12:49:11 UTC

(In reply to Alon Bar-Lev from comment #12)
> We have never explicitly enabled that, and based on what I see from source
> it is not enabled by default.

Thanks. I came to the same conclusion. Therefore, lowering rating to B3.


GLSA Vote: No


All done, tree is clean.