Summary: | <net-libs/gnutls-3.3.17.1: Downgrade attack vulnerability (CVE-2015-0282) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alonbl, crypto+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 544664, 559120 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2015-06-30 23:47:36 UTC
I would like so, we have a problem with net-analyzer/openvas-libraries (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask both. (In reply to Alon Bar-Lev from comment #1) > I would like so, we have a problem with net-analyzer/openvas-libraries > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > both. We could use the same patch as RedHat/Fedora did: https://bugzilla.redhat.com/show_bug.cgi?id=1194371 (In reply to Yury German from comment #2) > (In reply to Alon Bar-Lev from comment #1) > > I would like so, we have a problem with net-analyzer/openvas-libraries > > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > > both. > > We could use the same patch as RedHat/Fedora did: > https://bugzilla.redhat.com/show_bug.cgi?id=1194371 too many conflicts. for one non stable dependency it is not worth to continue maintaining this package. please help mask it out. (In reply to Alon Bar-Lev from comment #3) > (In reply to Yury German from comment #2) > > (In reply to Alon Bar-Lev from comment #1) > > > I would like so, we have a problem with net-analyzer/openvas-libraries > > > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > > > both. > > > > We could use the same patch as RedHat/Fedora did: > > https://bugzilla.redhat.com/show_bug.cgi?id=1194371 > > too many conflicts. > for one non stable dependency it is not worth to continue maintaining this > package. > please help mask it out. Seconded, we need to get rid of gnutls 2.x , this is unsupported upstream. Will initiate the procedures for it. Adding a dep on bug 559120 for stabilization of 3.3 in same slot , remaining is arm64 s390 and sh, so from that perspective we're mostly fine, but nice to have for tracking. With 3.3.17.1 stabilized now, are we ready to move this to cleanup and remove 2.12.23-r6. Security Please Vote. GLSA Vote: No GLSA Vote: No Can we remove 2.12.23-r6 yet? (In reply to Alon Bar-Lev from comment #1) > I would like so, we have a problem with net-analyzer/openvas-libraries > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > both. net-analyzer/openvas-libraries now supports gnutls-3. Last version depending on gnutls-2 just removed. Cleaned. (In reply to Alon Bar-Lev from comment #10) > Cleaned. Thanks |