Date: Thu, 21 May 2009 18:38:31 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/134785: [patch][vuxml] security/gnutls: update to 2.6.6 and document fixed vulnerabilities Message-ID: <20090521143831.A8B28DA837@void.codelabs.ru> Resent-Message-ID: <200905211440.n4LEe3K6058494@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 134785 >Category: ports >Synopsis: [patch][vuxml] security/gnutls: update to 2.6.6 and document fixed vulnerabilities >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 21 14:40:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-STABLE amd64 >Description: GnuTLS 2.6.6 is mostly a bugfix release that fixes 3 CVEs: [1], [2], [3] and [4]. Judging by release notes for gnutls-2.7.9, all three bugs were fixed before 2.7.8 and after 2.7.7, so I am marking gnutls-devel < 2.7.8 (current port version) as vulnerable too. >How-To-Repeat: [1] http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3514 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 >Fix: The following patch updates to port to 2.6.6. I had tested its compilability and basic operations. --- update-to.2.6.6.diff begins here --- >From 6c9ce64c583931d5e669c72cd7e3ed7a41c6521c Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 21 May 2009 18:19:23 +0400 http://www.gnu.org/software/gnutls/security.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/gnutls/Makefile | 2 +- security/gnutls/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 1d33275..ed148a6 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -6,7 +6,7 @@ # PORTNAME= gnutls -PORTVERSION= 2.6.5 +PORTVERSION= 2.6.6 CATEGORIES= security net MASTER_SITES= ${MASTER_SITE_GNU} \ ${MASTER_SITE_GNUPG} diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo index c5d70d2..f60cc82 100644 --- a/security/gnutls/distinfo +++ b/security/gnutls/distinfo @@ -1,3 +1,3 @@ -MD5 (gnutls-2.6.5.tar.bz2) = 92b92c36b616aa8bd69a9a0fb2b8eb24 -SHA256 (gnutls-2.6.5.tar.bz2) = e78be636072c0ab748ccf1742c4b41fc7aaff98b43166cfbc8df91c7185501cb -SIZE (gnutls-2.6.5.tar.bz2) = 5112923 +MD5 (gnutls-2.6.6.tar.bz2) = ca2489e29f9dc313a79b9747bb1090e5 +SHA256 (gnutls-2.6.6.tar.bz2) = 03d85b8b51ca7885740c69b87663963c58fe7c9672da0a43e45732078fabdc9e +SIZE (gnutls-2.6.6.tar.bz2) = 5116385 -- 1.6.3.1 --- update-to.2.6.6.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="b31a1088-460f-11de-a11a-0022156e8794"> <topic>GnuTLS -- multiple vulnerabilities</topic> <affects> <package> <name>gnutls</name> <range><lt>2.6.6</lt></range> </package> <package> <name>gnutls-devel</name> <range><lt>2.7.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>SecurityFocus reports:</p> <blockquote cite="http://www.securityfocus.com/bid/34783/discuss">; <p>GnuTLS is prone to multiple remote vulnerabilities:</p> <ul> <li>A remote code-execution vulnerability.</li> <li>A denial-of-service vulnerability.</li> <li>A signature-generation vulnerability.</li> <li>A signature-verification vulnerability.</li> </ul> <p>An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-1415</cvename> <cvename>CVE-2009-1416</cvename> <cvename>CVE-2009-1417</cvename> <bid>34783</bid> <url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515</url>; <url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3516</url>; <url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517</url>; </references> <dates> <discovery>2009-05-21</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090521143831.A8B28DA837>