VectorLinux
October 23, 2014, 09:30:30 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]  (Read 5844 times)
caitlyn
Packager
Vectorian
****
Posts: 2876


WWW
« on: November 15, 2008, 01:55:36 pm »

A new gnutls package closes a know security vulnerability detailed at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989

Quote
** libgnutls: Fix X.509 certificate chain validation error.
    [GNUTLS-SA-2008-3]  The flaw makes it possible for man in the middle
    attackers (i.e., active attackers) to assume any name and trick GNU TLS
    clients into trusting that name.  Thanks for report and analysis from
    Martin von Gagern <Martin.vGagern@gmx.net>.  [CVE-2008-4989]

UPDATE:  A new gnutls package for VL 6.0 is in the patches repository.  A new package for 5.9 is in the testing repository but it is known to break a number of other packages.  Please read the package announcement before deciding whether to upgrade immediately or not.  Updated packages for VL 5.9 which depend on gnutls will also be posted.
« Last Edit: December 26, 2008, 05:01:44 pm by caitlyn » Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1
caitlyn
Packager
Vectorian
****
Posts: 2876


WWW
« Reply #1 on: December 26, 2008, 05:03:38 pm »

UPDATE: 26 December 2008 --  The updated gnutls is now in the patches repository for VL 5.9.  A new Pidgin package built to work with the updated version of gnutls is also in patches.

VL 6.0 rc1 and VL 6.0 Light Beta 1 already include the updated gnutls package.  Some older releases may not. 
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1
hata_ph
Packager
Vectorian
****
Posts: 3258


-- Just being myself --


« Reply #2 on: January 16, 2009, 10:00:09 pm »

I just upgrade gnutls-2.6.1 but it broke adie and pidgin in my VL5.9 Light

Quote
2009-01-17 08:54:51 Removed: gnutls-1.6.3-i486-1_slack12.0-upgraded-2009-01-17,08:54:36
2009-01-17 08:54:51 Upgraded: gnutls-1.6.3-i486-1_slack12.0 to gnutls-2.6.1-i486-1_slack12.0.tlz
2009-01-17 13:04:23 Removed: pidgin-2.5.4-i586-1vl59
2009-01-17 13:04:56 Installed new: pidgin-2.5.4-i586-1vl59.tlz

Quote
vectorlight:/~
hata_ph:$ adie
adie: error while loading shared libraries: libgnutls.so.13: cannot open shared object file: No such file or directory

when i compile pidgin-2.5.4 with gnutls-1.6.3-i486-1_slack12.0 all working fine......with gnutls-2.6.1-i486-1_slack12.0 my pidgin show SSL error....
« Last Edit: January 16, 2009, 10:02:00 pm by hata_ph » Logged
caitlyn
Packager
Vectorian
****
Posts: 2876


WWW
« Reply #3 on: January 16, 2009, 10:36:53 pm »

We can't go backwards to a vulnerable version.  Please post about this in the packagers' board.  I know someone (Uelsk8s?) has had success building Pidgin packages for VL 6.0 against the new gnutls.  You can also rebuild the fox package using my build script for 6.0 against the new gnutls.  That did work for me on 6.0.  I don't have a VL 5.9 machine anymore so I can't do the rebuilds.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1
hata_ph
Packager
Vectorian
****
Posts: 3258


-- Just being myself --


« Reply #4 on: January 17, 2009, 03:25:42 am »

I have so and awaiting help from other.

http://forum.vectorlinux.com/index.php?topic=8227.msg56092#new

I would be willing to help compile it for VL59 Smiley
Logged
frankiben123
Member
*
Posts: 1


« Reply #5 on: July 02, 2009, 09:42:00 am »

wow....nice post...thanks for posting....
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!