From ${URL} : Description Some vulnerabilities have been reported in GnuTLS, which can be exploited by malicious people to conduct spoofing attacks. The vulnerabilities are caused due to some unspecified errors when verifying certificates and can be exploited to bypass certain certificate validation checks and subsequently e.g. spoof a server. The vulnerabilities are reported in versions 3.x prior to 3.2.12 and prior to 3.1.22 and versions 2.x. Solution: Update to a fixed version or apply patch. Further details available to Secunia VIM customers Provided and/or discovered by: Reported by the vendor. Original Advisory: GnuTLS: http://gnutls.org/security.html#GNUTLS-SA-2014-2 http://lists.gnutls.org/pipermail/gnutls-devel/2014-March/006794.html http://lists.gnutls.org/pipermail/gnutls-devel/2014-March/006795.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
3.12.2 is already in the tree, but ~-only. For gnutls 2.x, there's no update available, but a patch from upstream. So we need either a patched 2.x-ebuild or stabilize 3.12.2.
gnutls-2.12.23-r3 in tree with patch[1] [1] https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Please advise when testing is complete and you are ready for stabilization.
(In reply to Yury German from comment #3) > Please advise when testing is complete and you are ready for stabilization. FEATURES="test" is ok. best that stable teams will test it more.
CC arches then?
Please stabilize: gnutls-2.12.23-r3 Thanks!
(In reply to Alon Bar-Lev from comment #6) > Please stabilize: gnutls-2.12.23-r3 > > Thanks! Sorry, yet another CVE at bug#501282, please stabilize gnutls-2.12.23-r4 which contains both. Thanks!
Stable for HPPA.
amd64 stable
x86 stable
sparc stable
ppc stable
ia64 stable
alpha stable
arm stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Created a new GLSA request.
Maintainer(s), please drop the vulnerable version.
Maintainer(s), Thank you for cleanup!
CVE-2014-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0092): lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
This issue was resolved and addressed in GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml by GLSA coordinator Mikle Kolyada (Zlogene).