Summary: | <net-libs/gnutls-{2.12.23,3.1.8}: TLS CBC padding timing attack (CVE-2013-1619) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=907589 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-02-05 09:29:24 UTC
GnuTLS fix: 2.12.x: https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30 https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e 3.0.x: https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5 3.2.x / master: https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0 gnutls-2.12.23 gnutls-3.1.7 In tree, should contain this fix. Pidgin, Empathy and Telepathy can't connect to Google Talk anymore after upgrading to gnutls-3.1.7, please see bug 455800 for details. (In reply to comment #2) > gnutls-2.12.23 > gnutls-3.1.7 > > In tree, should contain this fix. Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ? (In reply to comment #4) > (In reply to comment #2) > > gnutls-2.12.23 > > gnutls-3.1.7 > > > > In tree, should contain this fix. > > Thanks, Alon. May we proceed to stabilize =net-libs/gnutls-2.12.23 ? Seems so, no issues so far. FYI the gnutls-3.1.7 was broken, gnutls-3.1.8 was released. Thanks! Arches, please test and mark stable: =net-libs/gnutls-2.12.23 Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris" amd64 stable x86 stable Stable for HPPA. ppc done CVE-2013-1619 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1619): The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. sh stable arm stable ppc64 stable alpha stable ia64 stable sparc stable s390 stable GLSA request filed. crypto done. m68k -> ~ only, removing from CC. Maintainers unCC'd themselves, did the cleanup myself. This issue was resolved and addressed in GLSA 201310-18 at http://security.gentoo.org/glsa/glsa-201310-18.xml by GLSA coordinator Sergey Popov (pinkbyte). |