Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 594738 (CVE-2016-7444) - <net-libs/gnutls-3.3.24-r1: OCSP validation issue
Summary: <net-libs/gnutls-3.3.24-r1: OCSP validation issue
Status: RESOLVED FIXED
Alias: CVE-2016-7444
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q3/545
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-22 01:23 UTC by Ian Zimmerman
Modified: 2016-11-27 11:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-09-22 01:23:37 UTC
According to the announce on oss-security:

> Stefan Bühler discovered an issue that affects validation of
> certificates using OCSP responses, which can falsely report a
> certificate as valid under certain circumstances. That issue affects
> gnutls 3.3.24, 3.4.14, 3.5.3 and previous versions.

Upstream fix is at [1]. This is as well tracked in Red Hat's bugzilla
at [2].
 [1] https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1374266



Reproducible: Always
Comment 1 Alon Bar-Lev gentoo-dev 2016-09-23 06:34:40 UTC
gnutls-3.3.24-r1 was added, thanks!
Comment 2 Alon Bar-Lev gentoo-dev 2016-09-23 06:54:28 UTC
Hi,
Please stabilize.
Thanks!
Comment 3 Jeroen Roovers gentoo-dev 2016-09-24 08:15:52 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-26 19:08:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-26 19:09:02 UTC
x86 stable
Comment 6 Tobias Klausmann gentoo-dev 2016-09-27 07:02:32 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:42:11 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 12:39:50 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:15:40 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:32:16 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Alon Bar-Lev gentoo-dev 2016-10-14 15:27:27 UTC
Cleanup done.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-27 11:57:30 UTC
GLSA Vote: No