Bug 880910 - VUL-0: gnutls affected by libtasn1 vulnerabilities
VUL-0: gnutls affected by libtasn1 vulnerabilities
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Shawn C
Security Team bot
maint:released:sle11-sp3:57659 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-02 09:30 UTC by Johannes Segitz
Modified: 2014-07-16 10:50 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-02 09:30:19 UTC
gnutls uses libtasn1 code and therefor is also affected by 
- CVE-2014-3467: bnc#880737
- CVE-2014-3468: bnc#880735
- CVE-2014-3469: bnc#880738

Backported patches for 2.12.23, could be helpful for 2.4.1

http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3467.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3468.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3469.diff
Comment 2 Swamp Workflow Management 2014-06-02 22:00:32 UTC
bugbot adjusting priority
Comment 4 Shawn Chang 2014-06-03 17:59:37 UTC
Fixed for SLE11/SLE10/SLE9....
Comment 7 Shawn Chang 2014-06-04 09:59:13 UTC
Re-assigning to security team.
Comment 8 Johannes Segitz 2014-06-04 11:10:13 UTC
Please also submit again for openSUSE 12.3 and 13.1
Comment 9 Swamp Workflow Management 2014-06-04 21:53:30 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-64bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-HAE 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 10 Swamp Workflow Management 2014-06-05 01:04:36 UTC
SUSE-SU-2014:0758-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 880730,880910
CVE References: CVE-2014-3466
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    gnutls-2.4.1-24.39.51.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    gnutls-2.4.1-24.39.51.1
SUSE Linux Enterprise Server 11 SP3 (src):    gnutls-2.4.1-24.39.51.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    gnutls-2.4.1-24.39.51.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    gnutls-2.4.1-24.39.51.1
Comment 11 Bernhard Wiedemann 2014-06-05 07:00:41 UTC
This is an autogenerated message for OBS integration:
This bug (880910) was mentioned in
https://build.opensuse.org/request/show/236348 13.1 / gnutls
Comment 12 Shawn C 2014-06-05 07:07:10 UTC
Submit requests for openSuSE 13.1/12.3 already....
Comment 13 Bernhard Wiedemann 2014-06-05 08:00:55 UTC
This is an autogenerated message for OBS integration:
This bug (880910) was mentioned in
https://build.opensuse.org/request/show/236349 12.3 / gnutls
Comment 15 Swamp Workflow Management 2014-06-11 13:04:35 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-devel
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 16 Swamp Workflow Management 2014-06-12 16:04:40 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 17 Swamp Workflow Management 2014-06-12 18:46:59 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 18 Swamp Workflow Management 2014-06-12 18:48:35 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 20 Swamp Workflow Management 2014-06-12 20:49:09 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26
Products:
SUSE-MANAGER 1.7 (x86_64)
Comment 21 Swamp Workflow Management 2014-06-12 22:04:50 UTC
SUSE-SU-2014:0788-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 880730,880910
CVE References: CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    gnutls-2.4.1-24.39.53.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gnutls-2.4.1-24.39.53.1
Comment 22 Swamp Workflow Management 2014-06-13 00:04:57 UTC
SUSE-SU-2014:0758-2: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 880730,880910
CVE References: CVE-2014-3466
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    gnutls-2.4.1-24.39.51.1
Comment 23 Swamp Workflow Management 2014-06-13 13:48:06 UTC
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 24 Swamp Workflow Management 2014-06-13 14:47:00 UTC
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 25 Swamp Workflow Management 2014-06-13 18:04:36 UTC
SUSE-SU-2014:0788-2: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 880730,880910
CVE References: CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    gnutls-1.2.10-13.40.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    gnutls-1.2.10-13.40.1
Comment 26 Swamp Workflow Management 2014-06-16 09:04:36 UTC
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 27 Swamp Workflow Management 2014-06-16 12:47:45 UTC
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 28 Johannes Segitz 2014-06-16 13:30:21 UTC
all relevant packages were updated
Comment 29 Swamp Workflow Management 2014-06-16 16:05:17 UTC
SUSE-SU-2014:0800-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 554084,670152,802651,880730,880910
CVE References: CVE-2013-1619,CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE CORE 9 (src):    gnutls-1.0.8-26.32
Comment 30 Swamp Workflow Management 2014-06-24 10:14:04 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-07-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58005
Comment 31 Swamp Workflow Management 2014-06-24 11:24:17 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-07-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58007
Comment 32 Swamp Workflow Management 2014-06-30 14:16:35 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
Open-Enterprise-Server 11-SP1 (x86_64)
Comment 33 Swamp Workflow Management 2014-06-30 16:51:27 UTC
Update released for: gnutls, gnutls-devel, gnutls-32bit, gnutls-devel-32bit
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)