Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548636 - <net-libs/gnutls-3.3.15: MD5-based ServerKeyExchange signature accepted by default (GNUTLS-SA-2015-2)
Summary: <net-libs/gnutls-3.3.15: MD5-based ServerKeyExchange signature accepted by de...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Blocks: CVE-2015-3308
  Show dependency tree
Reported: 2015-05-05 07:33 UTC by Agostino Sarubbo
Modified: 2015-06-22 21:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-05 07:33:30 UTC
From ${URL} :

It was reported by the GnuTLS project that a ServerKeyExchange signature
sent by the server is not verified to be in the acceptable by the client
set of algorithms. That has the effect of allowing MD5 signatures (which
are disabled by default) in the ServerKeyExchange message. It is not
believed that this bug can be exploited because a fraudulent signature has
to be generated in real-time which is not known to be possible. However,
since attacks can only get better it is recommended to update to a GnuTLS
version which addresses the issue.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2015-05-05 07:35:49 UTC
3.3.15 can be stabilized.
Comment 2 Agostino Sarubbo gentoo-dev 2015-05-06 09:16:55 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-06 09:29:44 UTC
amd64 stable
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-05-06 13:21:09 UTC
CVE - requested
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 04:46:07 UTC
Stable for PPC64.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 05:52:21 UTC
Stable for HPPA.
Comment 7 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:38:33 UTC
ia64 stable
Comment 8 Pacho Ramos gentoo-dev 2015-05-15 10:56:54 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-19 07:25:49 UTC
x86 stable
Comment 10 Matt Turner gentoo-dev 2015-05-20 06:07:08 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-05-27 13:02:17 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-06-17 08:52:14 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-06-21 03:13:55 UTC
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2015-06-21 06:40:27 UTC
Done, thanks.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-06-22 21:41:24 UTC
This issue was resolved and addressed in
 GLSA 201506-03 at
by GLSA coordinator Kristian Fiskerstrand (K_F).