Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 594738 (CVE-2016-7444)

Summary: <net-libs/gnutls-3.3.24-r1: OCSP validation issue
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2016/q3/545
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Ian Zimmerman 2016-09-22 01:23:37 UTC
According to the announce on oss-security:

> Stefan Bühler discovered an issue that affects validation of
> certificates using OCSP responses, which can falsely report a
> certificate as valid under certain circumstances. That issue affects
> gnutls 3.3.24, 3.4.14, 3.5.3 and previous versions.

Upstream fix is at [1]. This is as well tracked in Red Hat's bugzilla
at [2].
 [1] https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1374266



Reproducible: Always
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-09-23 06:34:40 UTC
gnutls-3.3.24-r1 was added, thanks!
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2016-09-23 06:54:28 UTC
Hi,
Please stabilize.
Thanks!
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-24 08:15:52 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-26 19:08:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-26 19:09:02 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-27 07:02:32 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:42:11 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 12:39:50 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:15:40 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:32:16 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Alon Bar-Lev (RETIRED) gentoo-dev 2016-10-14 15:27:27 UTC
Cleanup done.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 11:57:30 UTC
GLSA Vote: No