CVE-2015-0282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0282): GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors. Upstream's security page [1] indicates that the 2.12 branch is vulnerable: This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it. Recommendation: Upgrade to GnuTLS 3.1.0, or later. A patch will be included in gnutls_2_12_x branch for the users of that version that cannot upgrade. Maintainer(s), please indicate if you will be patching the 2.12 branch or dropping it. [1] http://www.gnutls.org/security.html
I would like so, we have a problem with net-analyzer/openvas-libraries (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask both.
(In reply to Alon Bar-Lev from comment #1) > I would like so, we have a problem with net-analyzer/openvas-libraries > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > both. We could use the same patch as RedHat/Fedora did: https://bugzilla.redhat.com/show_bug.cgi?id=1194371
(In reply to Yury German from comment #2) > (In reply to Alon Bar-Lev from comment #1) > > I would like so, we have a problem with net-analyzer/openvas-libraries > > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > > both. > > We could use the same patch as RedHat/Fedora did: > https://bugzilla.redhat.com/show_bug.cgi?id=1194371 too many conflicts. for one non stable dependency it is not worth to continue maintaining this package. please help mask it out.
(In reply to Alon Bar-Lev from comment #3) > (In reply to Yury German from comment #2) > > (In reply to Alon Bar-Lev from comment #1) > > > I would like so, we have a problem with net-analyzer/openvas-libraries > > > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > > > both. > > > > We could use the same patch as RedHat/Fedora did: > > https://bugzilla.redhat.com/show_bug.cgi?id=1194371 > > too many conflicts. > for one non stable dependency it is not worth to continue maintaining this > package. > please help mask it out. Seconded, we need to get rid of gnutls 2.x , this is unsupported upstream. Will initiate the procedures for it. Adding a dep on bug 559120 for stabilization of 3.3 in same slot , remaining is arm64 s390 and sh, so from that perspective we're mostly fine, but nice to have for tracking.
With 3.3.17.1 stabilized now, are we ready to move this to cleanup and remove 2.12.23-r6.
Security Please Vote. GLSA Vote: No
GLSA Vote: No
Can we remove 2.12.23-r6 yet?
(In reply to Alon Bar-Lev from comment #1) > I would like so, we have a problem with net-analyzer/openvas-libraries > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask > both. net-analyzer/openvas-libraries now supports gnutls-3. Last version depending on gnutls-2 just removed.
Cleaned.
(In reply to Alon Bar-Lev from comment #10) > Cleaned. Thanks