Re: Critical bug in GnuTLS

[g]

On 03/05/14 07:26, Matthew Miller wrote:

On Wed, Mar 05, 2014 at 12:01:04AM +, Patrick O'Callaghan wrote:

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Putting aside the slightly hysterical tone of the article, this is
appears to be a real bug with potentially serious implications. I see
that Koji has an updated rpm for F21 and wonder if this will be
backported to F20 and F19. Like *soon*.


https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19

These need testing and karma.


which is exactly why i get these email headers:

  From: bugzi...@redhat.com
  To: rhsa-annou...@redhat.com, enterprise-watch-l...@redhat.com

*all* fedora project users should be subscribed.

List-Subscribe:
   
   

--

peace out.

in a world with out fences, who needs gates.

tc.hago.

g
.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Susi Lehtola]

On Wed, 5 Mar 2014 11:29:23 +
"Patrick O'Callaghan"  wrote:

> On Wed, Mar 5, 2014 at 10:28 AM, Ed Greshko  wrote:
> > On 03/05/14 18:21, Patrick O'Callaghan wrote:
> >> On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller  
> >> wrote:
> >>> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
> >>> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19
> >>>
> >>> These need testing and karma.
> >> AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which
> >> is still only available for F21.
> >>
> >> poc
> >
> > So, you're saying the comments in those links are inaccurate?
> 
> I'm just wondering why the version numbers don't correspond to those
> in the GnuTLS advisory:
> 
> http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

Most likely because the patch has been applied, as the maintainer didn't
want to do a version bump on a core package.
-- 
Susi Lehtola
Fedora Project Contributor
jussileht...@fedoraproject.org
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Patrick O'Callaghan]

On Wed, Mar 5, 2014 at 10:28 AM, Ed Greshko  wrote:
> On 03/05/14 18:21, Patrick O'Callaghan wrote:
>> On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller  
>> wrote:
>>> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
>>> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19
>>>
>>> These need testing and karma.
>> AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which
>> is still only available for F21.
>>
>> poc
>
> So, you're saying the comments in those links are inaccurate?

I'm just wondering why the version numbers don't correspond to those
in the GnuTLS advisory:

http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

poc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Heinz Diehl]

On 05.03.2014, Ed Greshko wrote: 

> Well  The article pointed to by poc states

Yes, you're right. Sorry for the noise!

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Ed Greshko]

On 03/05/14 18:21, Patrick O'Callaghan wrote:
> On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller  
> wrote:
>> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
>> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19
>>
>> These need testing and karma.
> AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which
> is still only available for F21.
>
> poc

So, you're saying the comments in those links are inaccurate?

-- 
Getting tired of non-Fedora discussions and self-serving posts
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Patrick O'Callaghan]

On Wed, Mar 5, 2014 at 1:26 AM, Matthew Miller  wrote:
> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19
>
> These need testing and karma.

AFAIK 3.1.20 is not the bugfixed version. It needs to be 3.2.12, which
is still only available for F21.

poc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Ed Greshko]

On 03/05/14 14:18, Heinz Diehl wrote:
> On 05.03.2014, Matthew Miller wrote: 
>
>> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
>> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19
> Do they fix the bug?
>

Well  The article pointed to by poc states

GnuTLS developers published this bare-bones advisory that urges all users to 
upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is 
described by a GnuTLS developer as "an important (and at the same time 
embarrassing) bug discovered during an audit for Red Hat." Debian's advisory is 
here.

And the links above state

Bugs Fixed
1069865 - CVE-2014-0092: gnutls: incorrect error handling in certificate 
verification (GNUTLS-SA-2014-2)
1071795 - CVE-2014-0092: gnutls: incorrect error handling in certificate 
verification (GNUTLS-SA-2014-2) [fedora-all]

So...

-- 
Getting tired of non-Fedora discussions and self-serving posts
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Heinz Diehl]

On 05.03.2014, Matthew Miller wrote: 

> https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
> https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19

Do they fix the bug?

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Digimer]

On 04/03/14 08:26 PM, Matthew Miller wrote:

On Wed, Mar 05, 2014 at 12:01:04AM +, Patrick O'Callaghan wrote:

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Putting aside the slightly hysterical tone of the article, this is
appears to be a real bug with potentially serious implications. I see
that Koji has an updated rpm for F21 and wonder if this will be
backported to F20 and F19. Like *soon*.


https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19

These need testing and karma.


Tested and karma'ed.

--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without 
access to education?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Critical bug in GnuTLS

[Matthew Miller]

On Wed, Mar 05, 2014 at 12:01:04AM +, Patrick O'Callaghan wrote:
> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
> Putting aside the slightly hysterical tone of the article, this is
> appears to be a real bug with potentially serious implications. I see
> that Koji has an updated rpm for F21 and wonder if this will be
> backported to F20 and F19. Like *soon*.

https://admin.fedoraproject.org/updates/FEDORA-2014-3413/gnutls-3.1.20-4.fc20
https://admin.fedoraproject.org/updates/FEDORA-2014-3363/gnutls-3.1.20-4.fc19

These need testing and karma.

-- 
Matthew Miller--   Fedora Project--
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org