Comment 1 Tobias Heinlein (RETIRED) 2008-05-19 15:31:31 UTC

Thanks for reporting.

Maintainer, please bump.

Should be dealt with quickly; there are three seperate remotely triggerable (prior to authentication) crash bugs fixed in this release, and at least two of them will affect almost any server application using GnuTLS. Should update to 2.2.5 rather than 2.2.4 - it fixes an issue introduced when fixing these vulnerabilities.

Comment 3 Robert Buchholz (RETIRED) 2008-05-20 02:18:23 UTC

It is currently unclear whether these bugs could be exploited to execute arbitrary code, so until that is clear, we should handle it as A1.

dragonheart, since alonbl unfortunately is retiring, can you bump this package?

Comment 4 Robert Buchholz (RETIRED) 2008-05-20 11:53:27 UTC

https://www.cert.fi/haavoittuvuudet/advisory-gnutls.html

Comment 5 Daniel Black (RETIRED) 2008-05-20 13:41:34 UTC

+gnutls-2.2.3.ebuild

Comment 6 Daniel Black (RETIRED) 2008-05-20 14:12:38 UTC

(In reply to comment #5)
> +gnutls-2.2.3.ebuild
> 
er - +gnutls-2.2.5.ebuild :-)

Comment 7 Raúl Porcel (RETIRED) 2008-05-20 14:29:01 UTC

Which should go stable, then?

Comment 8 Robert Buchholz (RETIRED) 2008-05-20 14:37:04 UTC

Arches, please test and mark stable:
=net-libs/gnutls-2.2.5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

Comment 9 Jeroen Roovers (RETIRED) 2008-05-20 15:20:13 UTC

Might help to put a copy in distfiles-local quickly.

Comment 10 Robert Buchholz (RETIRED) 2008-05-20 15:35:13 UTC

(In reply to comment #9)
> Might help to put a copy in distfiles-local quickly.

Done. The josefsson.org is incredibly slow.

Comment 11 Jeroen Roovers (RETIRED) 2008-05-20 16:02:47 UTC

Stable for HPPA.

guys, there's somthing wrong with the configure options in gnutls-2.2.x!

---snip----
local myconf
        use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"
---snip----

--disable-lzo should be --without-lzo, otherwise it's a UNRECOGNIZED option,
and (use_enable lzo) should be (use_with lzo).

Shall i open a new bug report? Just discovered the issue.

FranKY

Comment 13 Raúl Porcel (RETIRED) 2008-05-20 19:08:43 UTC

alpha/ia64/sparc/x86 stable.

Franz, please open a new bug.

Comment 14 Markus Rothe (RETIRED) 2008-05-20 19:16:07 UTC

Thanks for spotting this Franz:

./configure --prefix=/usr --host=powerpc64-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --without-included-opencdk --with-zlib --with-lzo --enable-nls --disable-guile --disable-gtk-doc --enable-lzo --libdir=/usr/lib64 --build=powerpc64-unknown-linux-gnu
configure: WARNING: Unrecognized options: --enable-lzo

the error is from the redundant entrys --enable-lzo and --with-lzo.

src_compile() logic is broken. it does first "use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"" and then "econf [...] $(use_with lzo)"

I removed the redundant one after econf and changed use_enable to use_with in the bindist line. I also changed --disable-lzo to --without-lzo.

ppc64 stable by the way.

Comment 15 Richard Freeman 2008-05-21 15:11:53 UTC

amd64 stable

Comment 16 Tobias Scherbaum (RETIRED) 2008-05-21 16:21:49 UTC

ppc stable

Comment 17 Robert Buchholz (RETIRED) 2008-05-21 21:57:51 UTC

GLSA 200805-20

Comment 18 Peter Volkov (RETIRED) 2008-05-22 10:12:38 UTC

Fixed in release snapshot.