Bug 40411 – gnutls26: Multiple issues (4.0)

Bug 40411 - gnutls26: Multiple issues (4.0)


Summary:	gnutls26: Multiple issues (4.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-4-errata
Assigned To:	Daniel Tröder
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:	40412
Blocks:
	Show dependency tree / graph

Reported:	2016-01-11 14:17 CET by Arvid Requate
Modified:	2016-02-05 14:35 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-01-11 14:17:04 CET

Upstream Debian package version 2.12.20-8+deb7u5 fixes the following issues:

* fail to check the first byte of the padding in CBC modes (CVE-2015-8313)

* SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575)

Comment 1 Daniel Tröder

2016-01-28 09:57:46 CET

repo_admin.py --cherrypick --release 4.1-0-0 -s errata4.1-0 --releasedest 4.0-0-0 --dest errata4.0-4 -p gnutls26

Advisory (gnutls26.yaml): r67033

Comment 2 Philipp Hahn

2016-02-01 12:58:05 CET

OK: DEBIAN_FRONTEND=noninteractive aptitude -y install '?source-package(gnutls26)~i' #  2.12.20-8.29.201601280949
OK: UCS-4.0 < UCS-4.1
OK: apt-get install gnutls-bin
OK: apt-get install libgnutls26-dbg
OK: apt-get install gnutls26-doc
OK: apt-get install libgnutls-openssl27
OK: apt-get install libgnutlsxx27
OK: apt-get install guile-gnutls # unmaintained=yes
OK: apt-get install libgnutls-dev # unmaintained=yes

OK: amd64 i386

OK: elinks http://google.de/
OK: gnutls-cli mail.univention.de -p submission -s --insecure
OK: ldapsearch -H "ldap://$(ucr get ldap/master)" -b "$(ucr get ldap/base)" -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret -ZZ -LLL uid=Administrator uid

OK: zless /usr/share/doc/libgnutls26/changelog.Debian.gz
OK: CVE-2015-8313
OK: CVE-2015-7575
FIXED: gnutls26.yaml r67096
OK: errata-announce -VVBB --only gnutls26.yaml

Comment 3 Janek Walkenhorst

2016-02-05 14:35:16 CET

<http://errata.software-univention.de/ucs/4.0/398.html>