VectorLinux

Please login or register.

Login with username, password and session length
Advanced search  

News:

Visit our home page for VL info. For support and documentation, visit the Vector Linux Knowledge Center or search the Knowledge Center and this Forum using the search box above.

Author Topic: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]  (Read 6403 times)

caitlyn

  • Packager
  • Vectorian
  • ****
  • Posts: 2878
    • The Linux Works

A new gnutls package closes a know security vulnerability detailed at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989

Quote
** libgnutls: Fix X.509 certificate chain validation error.
    [GNUTLS-SA-2008-3]  The flaw makes it possible for man in the middle
    attackers (i.e., active attackers) to assume any name and trick GNU TLS
    clients into trusting that name.  Thanks for report and analysis from
    Martin von Gagern <Martin.vGagern@gmx.net>.  [CVE-2008-4989]

UPDATE:  A new gnutls package for VL 6.0 is in the patches repository.  A new package for 5.9 is in the testing repository but it is known to break a number of other packages.  Please read the package announcement before deciding whether to upgrade immediately or not.  Updated packages for VL 5.9 which depend on gnutls will also be posted.
« Last Edit: December 26, 2008, 05:01:44 pm by caitlyn »
Logged
eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1

caitlyn

  • Packager
  • Vectorian
  • ****
  • Posts: 2878
    • The Linux Works
Re: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]
« Reply #1 on: December 26, 2008, 05:03:38 pm »

UPDATE: 26 December 2008 --  The updated gnutls is now in the patches repository for VL 5.9.  A new Pidgin package built to work with the updated version of gnutls is also in patches.

VL 6.0 rc1 and VL 6.0 Light Beta 1 already include the updated gnutls package.  Some older releases may not. 
Logged
eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1

hata_ph

  • Packager
  • Vectorian
  • ****
  • Posts: 3261
  • -- Just being myself --
Re: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]
« Reply #2 on: January 16, 2009, 10:00:09 pm »

I just upgrade gnutls-2.6.1 but it broke adie and pidgin in my VL5.9 Light

Quote
2009-01-17 08:54:51 Removed: gnutls-1.6.3-i486-1_slack12.0-upgraded-2009-01-17,08:54:36
2009-01-17 08:54:51 Upgraded: gnutls-1.6.3-i486-1_slack12.0 to gnutls-2.6.1-i486-1_slack12.0.tlz
2009-01-17 13:04:23 Removed: pidgin-2.5.4-i586-1vl59
2009-01-17 13:04:56 Installed new: pidgin-2.5.4-i586-1vl59.tlz

Quote
vectorlight:/~
hata_ph:$ adie
adie: error while loading shared libraries: libgnutls.so.13: cannot open shared object file: No such file or directory

when i compile pidgin-2.5.4 with gnutls-1.6.3-i486-1_slack12.0 all working fine......with gnutls-2.6.1-i486-1_slack12.0 my pidgin show SSL error....
« Last Edit: January 16, 2009, 10:02:00 pm by hata_ph »
Logged

caitlyn

  • Packager
  • Vectorian
  • ****
  • Posts: 2878
    • The Linux Works
Re: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]
« Reply #3 on: January 16, 2009, 10:36:53 pm »

We can't go backwards to a vulnerable version.  Please post about this in the packagers' board.  I know someone (Uelsk8s?) has had success building Pidgin packages for VL 6.0 against the new gnutls.  You can also rebuild the fox package using my build script for 6.0 against the new gnutls.  That did work for me on 6.0.  I don't have a VL 5.9 machine anymore so I can't do the rebuilds.
Logged
eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1

hata_ph

  • Packager
  • Vectorian
  • ****
  • Posts: 3261
  • -- Just being myself --
Re: 081115 gnutls 2.6.1 closes known security vulnerability [VL 5.9, VL 6.0]
« Reply #4 on: January 17, 2009, 03:25:42 am »

I have so and awaiting help from other.

http://forum.vectorlinux.com/index.php?topic=8227.msg56092#new

I would be willing to help compile it for VL59 :)
Logged

frankiben123

  • Member
  • *
  • Posts: 1

wow....nice post...thanks for posting....
Logged