Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 681846 (CVE-2019-3829, CVE-2019-3836, GNUTLS-SA-2019-03-27) - <net-libs/gnutls-3.6.7: multiple vulnerabilities (GNUTLS-SA-2019-03-27)
Summary: <net-libs/gnutls-3.6.7: multiple vulnerabilities (GNUTLS-SA-2019-03-27)
Status: RESOLVED FIXED
Alias: CVE-2019-3829, CVE-2019-3836, GNUTLS-SA-2019-03-27
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.gnupg.org/pipermail/gnu...
Whiteboard: A2 [glsa+ cve stable]
Keywords: STABLEREQ
Depends on: 677430 681096
Blocks:
  Show dependency tree
 
Reported: 2019-03-27 09:35 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-17 11:38 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/gnutls-3.6.7 alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-27 09:35:30 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 09:37:45 UTC
It was found using the TLS fuzzer tools that decoding a malformed TLS1.3 asynchronous message can cause a server crash via an invalid pointer access. The issue affects GnuTLS server applications since 3.6.4. The issue was reported in issue tracker as #704.

Tavis Ormandy from Google Project Zero found a memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. The issue was reported in issue tracker as #694.

Recommendation: To address the issues found upgrade to GnuTLS 3.6.7 or later versions.
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2019-03-27 11:37:51 UTC
I version bumped the gnutls, but the changes are not trivial, I suggest to wait about a week before stabilizing.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 02:41:39 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself, when ready.
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2019-04-01 06:01:28 UTC
Let's stabilize.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-01 07:19:24 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-01 17:22:48 UTC
x86 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:50:31 UTC
s390 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-03 07:11:35 UTC
arm stable
Comment 9 Rolf Eike Beer archtester 2019-04-06 10:22:58 UTC
sparc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:38:46 UTC
alpha stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 10:52:19 UTC
alpha stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:44:50 UTC
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:53:34 UTC
ppc64 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:20:19 UTC
ppc stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-11 13:58:29 UTC
hppa stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-04-15 20:48:16 UTC
This issue was resolved and addressed in
 GLSA 201904-14 at https://security.gentoo.org/glsa/201904-14
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2019-04-15 20:48:44 UTC
re-opened for final arches and cleanup.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2019-04-16 23:37:03 UTC
arm64 stable
Comment 19 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 11:37:54 UTC
arm stable