Bug 921684 – VUL-0: CVE-2015-0282: gnutls: GNUTLS-SA-2015-1: Signature forgery

Bug 921684 - (CVE-2015-0282) VUL-0: CVE-2015-0282: gnutls: GNUTLS-SA-2015-1: Signature forgery

(CVE-2015-0282)
Summary:	VUL-0: CVE-2015-0282: gnutls: GNUTLS-SA-2015-1: Signature forgery

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:61304 maint...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-03-11 08:38 UTC by Marcus Meissner
Modified:	2015-04-08 07:55 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-03-11 08:38:53 UTC

from gnutls.org website:

This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.

Comment 1 Swamp Workflow Management 2015-03-11 12:41:08 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61058

Comment 2 Marcus Meissner 2015-03-11 12:48:27 UTC

commit d326f81daed5a1a06476d66a81584f8c7b71141d
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 23 10:03:47 2015 +0100

    Added fix for GNUTLS-SA-2015-1

in https://gitlab.com/gnutls/gnutls.git gnutls_2_12_x branch

Comment 3 Swamp Workflow Management 2015-03-11 23:00:13 UTC

bugbot adjusting priority

Comment 8 Andreas Stieger 2015-04-07 15:41:03 UTC

releasing

Comment 9 Swamp Workflow Management 2015-04-08 01:05:13 UTC

SUSE-SU-2015:0675-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 919938,921684
CVE References: CVE-2014-8155,CVE-2015-0282,CVE-2015-0294
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    gnutls-2.4.1-24.39.55.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    gnutls-2.4.1-24.39.55.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    gnutls-2.4.1-24.39.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    gnutls-2.4.1-24.39.55.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    gnutls-2.4.1-24.39.55.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    gnutls-2.4.1-24.39.55.1