Summary: | <net-libs/gnutls-2.12.23-r4: Unspecified Certificate Verification Vulnerabilities (CVE-2014-0092) [GNUTLS-SA-2014-2] | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alonbl, andrzej.pauli, crypto+disabled, kazer, orzel, randy, ryao |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/56872/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-04 09:40:36 UTC
3.12.2 is already in the tree, but ~-only. For gnutls 2.x, there's no update available, but a patch from upstream. So we need either a patched 2.x-ebuild or stabilize 3.12.2. gnutls-2.12.23-r3 in tree with patch[1] [1] https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b Please advise when testing is complete and you are ready for stabilization. (In reply to Yury German from comment #3) > Please advise when testing is complete and you are ready for stabilization. FEATURES="test" is ok. best that stable teams will test it more. CC arches then? Please stabilize: gnutls-2.12.23-r3 Thanks! (In reply to Alon Bar-Lev from comment #6) > Please stabilize: gnutls-2.12.23-r3 > > Thanks! Sorry, yet another CVE at bug#501282, please stabilize gnutls-2.12.23-r4 which contains both. Thanks! Stable for HPPA. amd64 stable x86 stable sparc stable ppc stable ia64 stable alpha stable arm stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Created a new GLSA request. Maintainer(s), please drop the vulnerable version. Maintainer(s), Thank you for cleanup! CVE-2014-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0092): lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. This issue was resolved and addressed in GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml by GLSA coordinator Mikle Kolyada (Zlogene). |