You are not logged in.
Per ArsTechnica, RedHat discovered a security vulnerability in GnuTLS and published an alert on March 3. Thanks to andyrtr, the safe version (3.2.12-1) was pushed into extra on March 3 (i.e., same day).
You might consider updating GnuTLS.
Further details
http://arstechnica.com/security/2014/03 … sdropping/
Last edited by snakeroot (2014-03-04 23:53:21)
Offline
I'm curious as to what (if any) packages I have that are using GnuTLS - how can I determine this?
Offline
the command 'whoneeds' in pkgtools shows this.
(this AUR package is currently flagged as out-of-date but installed fine nonetheless for me)
for me this gives the following list of 49 out of my 945 installed packages:
$ whoneeds gnutls
Packages that depend on [gnutls]
ardour
bino
calligra-braindump
calligra-krita
calligra-meta
calligra-sheets
calligra-words
eclipse-38
ffmpeg
filezilla
grhino
gst-plugins-bad
gst-plugins-good
gstreamer0.10-good-plugins
guvcview
gvfs-gphoto2
kawoken-icons
kdebase-dolphin
kdebase-konq-plugins
kdebase-konqueror
kdebase-konsole
kdebase-workspace
kdebindings-python2
kdegames-kreversi
kdegraphics-gwenview
kdegraphics-ksnapshot
kdegraphics-okular
kde-gtk-config
kdemultimedia-kmix
kdenlive
kdesdk-kompare
kdeutils-ark
kdeutils-kcalc
kdeutils-print-manager
kipi-plugins
ktorrent
kwave
kwebkitpart
libreoffice-kde4
lwks
midori
opencv
opencv-samples
sirius
system-config-printer
uzbl-browser
vlc
vtk
Last edited by nourathar (2014-03-04 22:37:57)
Offline
Thanks nourathar! I lucked out with only pianobar being affected :-)
That says nothing about my other machines and mobile devices though. Continues to validate my "don't do any important internet stuff on my phone" lifestyle.
Offline
Also this topic should be "Upgrade to GnuTLS 3.2.12", rather than 3.12
Offline
the command 'whoneeds' in pkgtools shows this.
(this AUR package is currently flagged as out-of-date but installed fine nonetheless for me)for me this gives the following list of 49 out of my 945 installed packages:
$ whoneeds gnutls Packages that depend on [gnutls] ardour bino calligra-braindump calligra-krita calligra-meta calligra-sheets calligra-words eclipse-38 ffmpeg filezilla grhino gst-plugins-bad gst-plugins-good gstreamer0.10-good-plugins guvcview gvfs-gphoto2 kawoken-icons kdebase-dolphin kdebase-konq-plugins kdebase-konqueror kdebase-konsole kdebase-workspace kdebindings-python2 kdegames-kreversi kdegraphics-gwenview kdegraphics-ksnapshot kdegraphics-okular kde-gtk-config kdemultimedia-kmix kdenlive kdesdk-kompare kdeutils-ark kdeutils-kcalc kdeutils-print-manager kipi-plugins ktorrent kwave kwebkitpart libreoffice-kde4 lwks midori opencv opencv-samples sirius system-config-printer uzbl-browser vlc vtk
pacman -Qi gnutls would give this for installed applications that use it.
I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.
Offline
pacman -Qi gnutls would give this for installed applications that use it.
Hi nomorewindows,
$ pacman -Qi gnutls
Name : gnutls
Version : 3.2.12-1
Description : A library which provides a secure layer over a reliable transport layer
Architecture : x86_64
URL : http://www.gnutls.org/
Licenses : GPL3 LGPL2.1
Groups : None
Provides : None
Depends On : gcc-libs libtasn1 readline zlib nettle p11-kit
Optional Deps : None
Required By : ffmpeg filezilla glib-networking gnome-vfs gst-plugins-bad libimobiledevice smbclient
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 4703.00 KiB
Packager : Andreas Radke <andyrtr@archlinux.org>
Build Date : Mon 03 Mar 2014 04:09:47 PM CET
Install Date : Tue 04 Mar 2014 11:24:30 PM CET
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
the output is very different though and in my case it lists only 7 packages.
It makes me really wonder what 'whoneeds' actually does ?
I suppose 'whoneeds' lists all the packages I have installed that require one of these 7 and so recursively on ?
ciao,
J.
Last edited by nourathar (2014-03-04 23:08:07)
Offline
It makes me really wonder what 'whoneeds' actually does ?
Offline
thanks (i'm still not used to the fact that open source means that the source is ... open.. )
Last edited by nourathar (2014-03-04 23:21:55)
Offline
nomorewindows wrote:pacman -Qi gnutls would give this for installed applications that use it.
Hi nomorewindows,
$ pacman -Qi gnutls Name : gnutls Version : 3.2.12-1 Description : A library which provides a secure layer over a reliable transport layer Architecture : x86_64 URL : http://www.gnutls.org/ Licenses : GPL3 LGPL2.1 Groups : None Provides : None Depends On : gcc-libs libtasn1 readline zlib nettle p11-kit Optional Deps : None Required By : ffmpeg filezilla glib-networking gnome-vfs gst-plugins-bad libimobiledevice smbclient Optional For : None Conflicts With : None Replaces : None Installed Size : 4703.00 KiB Packager : Andreas Radke <andyrtr@archlinux.org> Build Date : Mon 03 Mar 2014 04:09:47 PM CET Install Date : Tue 04 Mar 2014 11:24:30 PM CET Install Reason : Installed as a dependency for another package Install Script : Yes Validated By : Signature
the output is very different though and in my case it lists only 7 packages.
It makes me really wonder what 'whoneeds' actually does ?
I suppose 'whoneeds' lists all the packages I have installed that require one of these 7 and so recursively on ?ciao,
J.
Notice it said 49 of his 495 packages. And also notice that the same ones listed in your output are also in his output above.
I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.
Offline
pacman -Qi will tell you which packages directly depend on gnutls, but not necessarily all of the packages that use it. Remember, deps don't have to be listed if they're deps of something that's already a dep. To see the full tree, use `pactree -r gnutls`.
Offline
Also this topic should be "Upgrade to GnuTLS 3.2.12", rather than 3.12
Fixed. Thanks rdahlgren.
Offline
I don't have much particular to say about this, but I just want to start a discussion about how the GnuTLS vulnerability reported today in Ars Technica might affect Arch Linux users.
I have the gnutls 3.2.12-1 package installed on my system.
Last edited by zilverling (2014-03-05 15:00:54)
Offline
The actual issue has been fixed in gnutls 3.2.12. So as far as deploying the "fix" goes, everything should be good.
The above obviously does not apply if one would still run applications explicitly compiled against an older (and hence vulnerable) version of gnutls. Recompiling would be in order in those cases.
Burninate!
Offline
Quickly to be followed by 3.2.12.1, apparently because of accidental ABI breakage in 3.2.12
Offline
@Gcool and @ brebs -- thanks for your feedback. Since posting my message I also noticed on http://gnutls.org/ that the vulnerability has been addressed in 3.2.12 and that there has been a minor update (3.2.12.1), not yet available in Arch Linux.
Offline
There already is https://bbs.archlinux.org/viewtopic.php?id=178008
Offline
@ zilverling, please edit the title of the thread and replace Closed with solved or something. Closed is used by the moderators to lock threads.
mod edit: This post became moot when I merged threads. It had been directed at the merged thread.[ewaller]
Last edited by ewaller (2014-03-05 15:50:05)
Offline
Merging threads. Thread title was: » Solved: Arch Linux users affected by GnuTLS vulnerability?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
I am a little bit confused: Tha article talks of gnutls being a vital part of https. I run a web server, a part of which is using https. However, using the methods mentioned above, I can only link gnutls to a few specific internal networking-oriented applications, such as samba and mpd.
In other words, it doesn't seem to affect crucial external-facing things, such a the the web server?
P.S. Apologies if this thread was supposed to have been locked down, but I figured that it wasn't purely a 'solve my problem'-thread but more of a discussion thread.
Offline
web server
openssl is usually used in preference to gnutls.
Offline
openssl is usually used in preference to gnutls.
And pacman -Qi openssl confirms that this is the case for nginx, so that's all I needed to know. Thanks, brebs.
Offline