Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553690 (CVE-2015-0282) - <net-libs/gnutls-3.3.17.1: Downgrade attack vulnerability (CVE-2015-0282)
Summary: <net-libs/gnutls-3.3.17.1: Downgrade attack vulnerability (CVE-2015-0282)
Status: RESOLVED FIXED
Alias: CVE-2015-0282
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa/cve]
Keywords:
Depends on: 544664 559120
Blocks:
  Show dependency tree
 
Reported: 2015-06-30 23:47 UTC by GLSAMaker/CVETool Bot
Modified: 2015-11-19 09:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-30 23:47:36 UTC
CVE-2015-0282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0282):
  GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm
  matches the signature algorithm in the certificate, which allows remote
  attackers to conduct downgrade attacks via unspecified vectors.


Upstream's security page [1] indicates that the 2.12 branch is vulnerable:

This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.
Recommendation: Upgrade to GnuTLS 3.1.0, or later. A patch will be included in gnutls_2_12_x branch for the users of that version that cannot upgrade.

Maintainer(s), please indicate if you will be patching the 2.12 branch or dropping it. 

[1] http://www.gnutls.org/security.html
Comment 1 Alon Bar-Lev gentoo-dev 2015-07-01 05:24:43 UTC
I would like so, we have a problem with net-analyzer/openvas-libraries (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask both.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-15 13:52:31 UTC
(In reply to Alon Bar-Lev from comment #1)
> I would like so, we have a problem with net-analyzer/openvas-libraries
> (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask
> both.

We could use the same patch as RedHat/Fedora did:
https://bugzilla.redhat.com/show_bug.cgi?id=1194371
Comment 3 Alon Bar-Lev gentoo-dev 2015-08-15 19:27:44 UTC
(In reply to Yury German from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > I would like so, we have a problem with net-analyzer/openvas-libraries
> > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask
> > both.
> 
> We could use the same patch as RedHat/Fedora did:
> https://bugzilla.redhat.com/show_bug.cgi?id=1194371

too many conflicts.
for one non stable dependency it is not worth to continue maintaining this package.
please help mask it out.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-09-02 13:50:32 UTC
(In reply to Alon Bar-Lev from comment #3)
> (In reply to Yury German from comment #2)
> > (In reply to Alon Bar-Lev from comment #1)
> > > I would like so, we have a problem with net-analyzer/openvas-libraries
> > > (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask
> > > both.
> > 
> > We could use the same patch as RedHat/Fedora did:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1194371
> 
> too many conflicts.
> for one non stable dependency it is not worth to continue maintaining this
> package.
> please help mask it out.

Seconded, we need to get rid of gnutls 2.x , this is unsupported upstream. Will initiate the procedures for it. 

Adding a dep on bug 559120 for stabilization of 3.3 in same slot , remaining is arm64 s390 and sh, so from that perspective we're mostly fine, but nice to have for tracking.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 17:20:39 UTC
With 3.3.17.1 stabilized now, are we ready to move this to cleanup and remove 2.12.23-r6.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 17:22:25 UTC
Security Please Vote.
GLSA Vote: No
Comment 7 Kristian Fiskerstrand gentoo-dev Security 2015-11-04 15:25:38 UTC
GLSA Vote: No
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-17 15:07:13 UTC
Can we remove 2.12.23-r6 yet?
Comment 9 Justin Lecher gentoo-dev 2015-11-18 15:54:05 UTC
(In reply to Alon Bar-Lev from comment #1)
> I would like so, we have a problem with net-analyzer/openvas-libraries
> (bug#544664), it uses upstream unmaintained gnutls-2, I think we should mask
> both.

net-analyzer/openvas-libraries now supports gnutls-3. Last version depending on gnutls-2 just removed.
Comment 10 Alon Bar-Lev gentoo-dev 2015-11-18 18:38:20 UTC
Cleaned.
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2015-11-18 18:40:34 UTC
(In reply to Alon Bar-Lev from comment #10)
> Cleaned.

Thanks