[Slackware current]: Problem in Aug-30-2013 updates (?)
 

Pat:

Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13).
I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28.

However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x?

Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address
CVE-2013-4143. How come?

--mancha

It appears to be correct. According to this page, the upstream version that fixed this problem is 3.0.28, not 3.0.26.

About xlockmore, i believe it's because there hasn't been any information about this on CVE's website.

Oops... I grabbed the latest from the out of date ftp.gnu.org archive. I'll try that again using ftp.gnupg.org instead.

By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions. On the bright side, not many programs used gnutls until Slackware 14.0. And as far as making a big version jump to fix earlier Slackware releases goes, based on my past experiences with gnutls I'm guessing both runtime and compile issues would be likely to occur.

If the xlockmore fix had anything to do with glibc-2.17 crypt() then it doesn't merit an advisory since it was never a problem in a stable release.

I'll take a look to see how much work would be involved in developing a full set of patches for virgin Slackware 12.1-13.37. No promises though; lot on my plate right now.

Yes, the CVE is related to the potential for bypassing the screen lock due to crypt() changes. I understand the criterion for noting CVEs in the ChangeLog now. Thanks.

--mancha

Slackware 12.1 - 13.0 already had an upgrade to gnutls-2.8.4 to fix previous issues, so those would be the versions to patch there. Anyway, I'm not sure I'd characterize the issues that exist as being anywhere near critical, especially in light of how few programs in 12.1 - 13.37 actually use gnutls for anything (although self-compiled things could be using it for more important purposes).

Compared to OpenSSL, gnutls isn't very maintainable. It's too bad all these licenses can't get along.

New gnutls updates out for 14.0 and -current.

FYI, for the latest version of wireshark to show the decrypted content of SSL traffic (with supplied key), it needs to compile with gnutls in stead of OpenSSL. And it requires a minimum gnutls version of 3.1.10.

Not sure if Slackware could upgrade the gnutls version to the current stable line of 3.1.x.

This turned out to be a lot more work than I bargained for. But, it's for a great distrib and I sorta offered, so...I rolled up my sleeves and
here it is.

gnutls-cve-backports.tar.bz2 contains patchsets for GnuTLS 2.8.4, GnuTLS 2.8.6, and GnuTLS 2.10.5 which address:

After their application, all publicly-disclosed GnuTLS vulnerabilities still outstanding in five Slackware versions (12.1-13.37) will be patched.
Slackware 14.0 & current are already OK.

Please take a look at the README first; It contains important info.

The signature (gnutls-cve-backports.tar.bz2.sig) was made with this key:

PGP: 0x25168EB24F0B22AC 56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC

--mancha