Bug 921684 - (CVE-2015-0282) VUL-0: CVE-2015-0282: gnutls: GNUTLS-SA-2015-1: Signature forgery
VUL-0: CVE-2015-0282: gnutls: GNUTLS-SA-2015-1: Signature forgery
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:61304 maint...
Depends on:
  Show dependency treegraph
Reported: 2015-03-11 08:38 UTC by Marcus Meissner
Modified: 2015-04-08 07:55 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-11 08:38:53 UTC
from gnutls.org website:

This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.
Comment 1 Swamp Workflow Management 2015-03-11 12:41:08 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-25.
When done, reassign the bug to security-team@suse.de.
Comment 2 Marcus Meissner 2015-03-11 12:48:27 UTC
commit d326f81daed5a1a06476d66a81584f8c7b71141d
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 23 10:03:47 2015 +0100

    Added fix for GNUTLS-SA-2015-1

in https://gitlab.com/gnutls/gnutls.git gnutls_2_12_x branch
Comment 3 Swamp Workflow Management 2015-03-11 23:00:13 UTC
bugbot adjusting priority
Comment 8 Andreas Stieger 2015-04-07 15:41:03 UTC
Comment 9 Swamp Workflow Management 2015-04-08 01:05:13 UTC
SUSE-SU-2015:0675-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 919938,921684
CVE References: CVE-2014-8155,CVE-2015-0282,CVE-2015-0294
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    gnutls-2.4.1-
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    gnutls-2.4.1-
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    gnutls-2.4.1-
SUSE Linux Enterprise Server 11 SP3 (src):    gnutls-2.4.1-
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    gnutls-2.4.1-
SUSE Linux Enterprise Desktop 11 SP3 (src):    gnutls-2.4.1-