Critical bug in GnuTLS - users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

1995

1994

1993

1992

1991

1990

1989

1988

1987

1986

1985

1984

1983

1982

1981

1980

Critical bug in GnuTLS

enscript duplex not working

best, up-to-date, *detailed*...

Patrick O'Callaghan

Tuesday, 4 March 2014 Tue, 4 Mar '14

6:01 p.m.

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-... Putting aside the slightly hysterical tone of the article, this is appears to be a real bug with potentially serious implications. I see that Koji has an updated rpm for F21 and wonder if this will be backported to F20 and F19. Like *soon*. poc

Reply

Show replies by date

Heinz Diehl

Wednesday, 5 March Wed, 5 Mar

5:25 a.m.

On 05.03.2014, Ed Greshko wrote:

Well.... The article pointed to by poc states....

Yes, you're right. Sorry for the noise!

Reply

g

Friday, 7 March Fri, 7 Mar

7:53 a.m.

On 03/05/14 07:26, Matthew Miller wrote:

On Wed, Mar 05, 2014 at 12:01:04AM +0000, Patrick O'Callaghan wrote: > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-... > Putting aside the slightly hysterical tone of the article, this is > appears to be a real bug with potentially serious implications. I see > that Koji has an updated rpm for F21 and wonder if this will be > backported to F20 and F19. Like *soon*. https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... These need testing and karma.

which is exactly why i get these email headers: From: bugzilla(a)redhat.com To: rhsa-announce(a)redhat.com, enterprise-watch-list(a)redhat.com *all* fedora project users should be subscribed. List-Subscribe: <https://www.redhat.com/mailman/listinfo/rhsa-announce> <mailto:rhsa-announce-request@redhat.com?subject=subscribe> -- peace out. in a world with out fences, who needs gates. tc.hago. g .

Reply

Susi Lehtola

Wednesday, 5 March Wed, 5 Mar

7:32 a.m.

On Wed, 5 Mar 2014 11:29:23 +0000 "Patrick O'Callaghan" <pocallaghan(a)gmail.com> wrote:

On Wed, Mar 5, 2014 at 10:28 AM, Ed Greshko <ed.greshko(a)greshko.com> wrote: > On 03/05/14 18:21, Patrick O'Callaghan wrote: >> On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller <mattdm(a)fedoraproject.org> wrote: >>> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... >>> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... >>> >>> These need testing and karma. >> AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which >> is still only available for F21. >> >> poc > > So, you're saying the comments in those links are inaccurate? I'm just wondering why the version numbers don't correspond to those in the GnuTLS advisory: http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

Most likely because the patch has been applied, as the maintainer didn't want to do a version bump on a core package. -- Susi Lehtola Fedora Project Contributor jussilehtola(a)fedoraproject.org

Reply

Patrick O'Callaghan

5:29 a.m.

On Wed, Mar 5, 2014 at 10:28 AM, Ed Greshko <ed.greshko(a)greshko.com> wrote:

On 03/05/14 18:21, Patrick O'Callaghan wrote: > On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller <mattdm(a)fedoraproject.org> wrote: >> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... >> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... >> >> These need testing and karma. > AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which > is still only available for F21. > > poc So, you're saying the comments in those links are inaccurate?

I'm just wondering why the version numbers don't correspond to those in the GnuTLS advisory: http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 poc

Reply

Patrick O'Callaghan

4:21 a.m.

On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller <mattdm(a)fedoraproject.org> wrote:

https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... These need testing and karma.

AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which is still only available for F21. poc

Reply

Ed Greshko

12:26 a.m.

On 03/05/14 14:18, Heinz Diehl wrote:

On 05.03.2014, Matthew Miller wrote: > https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... > https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... Do they fix the bug?

Well.... The article pointed to by poc states.... GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as "an important (and at the same time embarrassing) bug discovered during an audit for Red Hat." Debian's advisory is here. And the links above state.... Bugs Fixed 1069865 - CVE-2014-0092: gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) 1071795 - CVE-2014-0092: gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) [fedora-all] So....... -- Getting tired of non-Fedora discussions and self-serving posts

Reply

Heinz Diehl

12:18 a.m.

On 05.03.2014, Matthew Miller wrote:

https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4....

Do they fix the bug?

Reply

Matthew Miller

Tuesday, 4 March Tue, 4 Mar

7:26 p.m.

On Wed, Mar 05, 2014 at 12:01:04AM +0000, Patrick O'Callaghan wrote:

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-... Putting aside the slightly hysterical tone of the article, this is appears to be a real bug with potentially serious implications. I see that Koji has an updated rpm for F21 and wonder if this will be backported to F20 and F19. Like *soon*.

https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... These need testing and karma. -- Matthew Miller -- Fedora Project -- <mattdm(a)fedoraproject.org>

Reply

Digimer

7:51 p.m.

On 04/03/14 08:26 PM, Matthew Miller wrote:

On Wed, Mar 05, 2014 at 12:01:04AM +0000, Patrick O'Callaghan wrote: > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-... > Putting aside the slightly hysterical tone of the article, this is > appears to be a real bug with potentially serious implications. I see > that Koji has an updated rpm for F21 and wonder if this will be > backported to F20 and F19. Like *soon*. https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... These need testing and karma.

Tested and karma'ed. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?

Reply

Ed Greshko

Wednesday, 5 March Wed, 5 Mar

4:28 a.m.

On 03/05/14 18:21, Patrick O'Callaghan wrote:

On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller <mattdm(a)fedoraproject.org> wrote: > https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.... > https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.... > > These need testing and karma. AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which is still only available for F21. poc

So, you're saying the comments in those links are inaccurate? -- Getting tired of non-Fedora discussions and self-serving posts

Reply

3712

days inactive

3714

days old

users@lists.fedoraproject.org

Manage subscription

10 comments

7 participants

tags (0)

participants (7)

Digimer
Ed Greshko
g
Heinz Diehl
Matthew Miller
Patrick O'Callaghan
Susi Lehtola