You are not logged in.

#1 2014-03-04 20:14:15

snakeroot
Member
Registered: 2012-10-06
Posts: 164

Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Per ArsTechnica, RedHat discovered a security vulnerability in GnuTLS and published an alert on March 3. Thanks to andyrtr, the safe version (3.2.12-1) was pushed into extra on March 3 (i.e., same day).

You might consider updating GnuTLS.

Further details

http://arstechnica.com/security/2014/03 … sdropping/

Last edited by snakeroot (2014-03-04 23:53:21)

Offline

#2 2014-03-04 21:56:24

rdahlgren
Member
From: Middle States, USA
Registered: 2014-02-17
Posts: 36
Website

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

I'm curious as to what (if any) packages I have that are using GnuTLS - how can I determine this?

Offline

#3 2014-03-04 22:37:21

nourathar
Member
From: Bxl
Registered: 2013-04-26
Posts: 109

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

the command 'whoneeds' in pkgtools shows this.
(this AUR package is currently flagged as out-of-date but installed fine nonetheless for me)

for me this gives the following list of 49 out of my 945 installed packages:

$ whoneeds gnutls
Packages that depend on [gnutls]
  ardour
  bino
  calligra-braindump
  calligra-krita
  calligra-meta
  calligra-sheets
  calligra-words
  eclipse-38
  ffmpeg
  filezilla
  grhino
  gst-plugins-bad
  gst-plugins-good
  gstreamer0.10-good-plugins
  guvcview
  gvfs-gphoto2
  kawoken-icons
  kdebase-dolphin
  kdebase-konq-plugins
  kdebase-konqueror
  kdebase-konsole
  kdebase-workspace
  kdebindings-python2
  kdegames-kreversi
  kdegraphics-gwenview
  kdegraphics-ksnapshot
  kdegraphics-okular
  kde-gtk-config
  kdemultimedia-kmix
  kdenlive
  kdesdk-kompare
  kdeutils-ark
  kdeutils-kcalc
  kdeutils-print-manager
  kipi-plugins
  ktorrent
  kwave
  kwebkitpart
  libreoffice-kde4
  lwks
  midori
  opencv
  opencv-samples
  sirius
  system-config-printer
  uzbl-browser
  vlc
  vtk

Last edited by nourathar (2014-03-04 22:37:57)

Offline

#4 2014-03-04 22:43:24

rdahlgren
Member
From: Middle States, USA
Registered: 2014-02-17
Posts: 36
Website

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Thanks nourathar! I lucked out with only pianobar being affected :-)

That says nothing about my other machines and mobile devices though. Continues to validate my "don't do any important internet stuff on my phone" lifestyle.

Offline

#5 2014-03-04 22:50:05

rdahlgren
Member
From: Middle States, USA
Registered: 2014-02-17
Posts: 36
Website

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Also this topic should be "Upgrade to GnuTLS 3.2.12", rather than 3.12

Offline

#6 2014-03-04 22:58:46

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

nourathar wrote:

the command 'whoneeds' in pkgtools shows this.
(this AUR package is currently flagged as out-of-date but installed fine nonetheless for me)

for me this gives the following list of 49 out of my 945 installed packages:

$ whoneeds gnutls
Packages that depend on [gnutls]
  ardour
  bino
  calligra-braindump
  calligra-krita
  calligra-meta
  calligra-sheets
  calligra-words
  eclipse-38
  ffmpeg
  filezilla
  grhino
  gst-plugins-bad
  gst-plugins-good
  gstreamer0.10-good-plugins
  guvcview
  gvfs-gphoto2
  kawoken-icons
  kdebase-dolphin
  kdebase-konq-plugins
  kdebase-konqueror
  kdebase-konsole
  kdebase-workspace
  kdebindings-python2
  kdegames-kreversi
  kdegraphics-gwenview
  kdegraphics-ksnapshot
  kdegraphics-okular
  kde-gtk-config
  kdemultimedia-kmix
  kdenlive
  kdesdk-kompare
  kdeutils-ark
  kdeutils-kcalc
  kdeutils-print-manager
  kipi-plugins
  ktorrent
  kwave
  kwebkitpart
  libreoffice-kde4
  lwks
  midori
  opencv
  opencv-samples
  sirius
  system-config-printer
  uzbl-browser
  vlc
  vtk

pacman -Qi gnutls would give this for installed applications that use it.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#7 2014-03-04 23:06:59

nourathar
Member
From: Bxl
Registered: 2013-04-26
Posts: 109

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

nomorewindows wrote:

pacman -Qi gnutls would give this for installed applications that use it.

Hi nomorewindows,

$ pacman -Qi gnutls
Name           : gnutls
Version        : 3.2.12-1
Description    : A library which provides a secure layer over a reliable transport layer
Architecture   : x86_64
URL            : http://www.gnutls.org/
Licenses       : GPL3  LGPL2.1
Groups         : None
Provides       : None
Depends On     : gcc-libs  libtasn1  readline  zlib  nettle  p11-kit
Optional Deps  : None
Required By    : ffmpeg  filezilla  glib-networking  gnome-vfs  gst-plugins-bad  libimobiledevice  smbclient
Optional For   : None
Conflicts With : None
Replaces       : None
Installed Size : 4703.00 KiB
Packager       : Andreas Radke <andyrtr@archlinux.org>
Build Date     : Mon 03 Mar 2014 04:09:47 PM CET
Install Date   : Tue 04 Mar 2014 11:24:30 PM CET
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By   : Signature

the output is very different though and in my case  it lists only 7 packages.
It makes me really wonder what 'whoneeds' actually does ?
I suppose 'whoneeds' lists all the packages I have installed that require one of these 7 and so recursively on ?

ciao,

J.

Last edited by nourathar (2014-03-04 23:08:07)

Offline

#8 2014-03-04 23:11:07

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

nourathar wrote:

It makes me really wonder what 'whoneeds' actually does ?

https://raw.github.com/Daenyth/pkgtools … needs.bash

Offline

#9 2014-03-04 23:21:35

nourathar
Member
From: Bxl
Registered: 2013-04-26
Posts: 109

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

thanks (i'm still not used to the fact that open source means that the source is  ... open.. smile )

Last edited by nourathar (2014-03-04 23:21:55)

Offline

#10 2014-03-04 23:24:20

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

nourathar wrote:
nomorewindows wrote:

pacman -Qi gnutls would give this for installed applications that use it.

Hi nomorewindows,

$ pacman -Qi gnutls
Name           : gnutls
Version        : 3.2.12-1
Description    : A library which provides a secure layer over a reliable transport layer
Architecture   : x86_64
URL            : http://www.gnutls.org/
Licenses       : GPL3  LGPL2.1
Groups         : None
Provides       : None
Depends On     : gcc-libs  libtasn1  readline  zlib  nettle  p11-kit
Optional Deps  : None
Required By    : ffmpeg  filezilla  glib-networking  gnome-vfs  gst-plugins-bad  libimobiledevice  smbclient
Optional For   : None
Conflicts With : None
Replaces       : None
Installed Size : 4703.00 KiB
Packager       : Andreas Radke <andyrtr@archlinux.org>
Build Date     : Mon 03 Mar 2014 04:09:47 PM CET
Install Date   : Tue 04 Mar 2014 11:24:30 PM CET
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By   : Signature

the output is very different though and in my case  it lists only 7 packages.
It makes me really wonder what 'whoneeds' actually does ?
I suppose 'whoneeds' lists all the packages I have installed that require one of these 7 and so recursively on ?

ciao,

J.

Notice it said 49 of his 495 packages.  And also notice that the same ones listed in your output are also in his output above.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#11 2014-03-04 23:34:53

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

pacman -Qi will tell you which packages directly depend on gnutls, but not necessarily all of the packages that use it. Remember, deps don't have to be listed if they're deps of something that's already a dep. To see the full tree, use `pactree -r gnutls`.

Online

#12 2014-03-04 23:54:18

snakeroot
Member
Registered: 2012-10-06
Posts: 164

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

rdahlgren wrote:

Also this topic should be "Upgrade to GnuTLS 3.2.12", rather than 3.12

Fixed. Thanks rdahlgren.

Offline

#13 2014-03-05 09:52:24

zilverling
Member
From: Bennekom, Netherlands
Registered: 2009-08-19
Posts: 82

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

I don't have much particular to say about this, but I just want to start a discussion about how the GnuTLS vulnerability reported today in Ars Technica might affect Arch Linux users.

I have the gnutls 3.2.12-1 package installed on my system.

Last edited by zilverling (2014-03-05 15:00:54)

Offline

#14 2014-03-05 10:09:12

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

The actual issue has been fixed in gnutls 3.2.12. So as far as deploying the "fix" goes, everything should be good.

The above obviously does not apply if one would still run applications explicitly compiled against an older (and hence vulnerable) version of gnutls. Recompiling would be in order in those cases.


Burninate!

Offline

#15 2014-03-05 11:16:40

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Quickly to be followed by 3.2.12.1, apparently because of accidental ABI breakage in 3.2.12

Offline

#16 2014-03-05 13:25:22

zilverling
Member
From: Bennekom, Netherlands
Registered: 2009-08-19
Posts: 82

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

@Gcool and @ brebs -- thanks for your feedback. Since posting my message I also noticed on http://gnutls.org/ that the vulnerability has been addressed in 3.2.12 and that there has been a minor update (3.2.12.1), not yet available in Arch Linux.

Offline

#17 2014-03-05 14:10:50

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Offline

#18 2014-03-05 14:58:12

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

@ zilverling, please edit the title of the thread and replace Closed with solved or something. Closed is used by the moderators to lock threads.

mod edit: This post became moot when I merged threads.  It had been directed at the merged thread.[ewaller]

Last edited by ewaller (2014-03-05 15:50:05)

Offline

#19 2014-03-05 15:47:20

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

Merging threads.  Thread title was: » Solved: Arch Linux users affected by GnuTLS vulnerability?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#20 2014-03-07 09:01:48

reannual
Member
From: Denmark
Registered: 2013-04-11
Posts: 21
Website

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

I am a little bit confused: Tha article talks of gnutls being a vital part of https. I run a web server, a part of which is using https. However, using the methods mentioned above, I can only link gnutls to a few specific internal networking-oriented applications, such as samba and mpd.

In other words, it doesn't seem to affect crucial external-facing things, such a the the web server?

P.S. Apologies if this thread was supposed to have been locked down, but I figured that it wasn't purely a 'solve my problem'-thread but more of a discussion thread.

Offline

#21 2014-03-07 10:01:44

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

reannual wrote:

web server

openssl is usually used in preference to gnutls.

Offline

#22 2014-03-07 10:20:46

reannual
Member
From: Denmark
Registered: 2013-04-11
Posts: 21
Website

Re: Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

And pacman -Qi openssl confirms that this is the case for nginx, so that's all I needed to know. Thanks, brebs.

Offline

Board footer

Powered by FluxBB