We currently have GnuTLS 3.8.2 in our build system. The latest version is 3.8.6, and there have been some security fixes since our last upgrade: 3.8.3: https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html 3.8.4: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html 3.8.5: https://lists.gnupg.org/pipermail/gnutls-help/2024-April/004846.html 3.8.6: https://lists.gnupg.org/pipermail/gnutls-help/2024-July/004848.html
Regarding the dependencies: * nettle; we currently have 3.9.1 in our build system, 3.10 is available: https://ftp.gnu.org/gnu/nettle/ * libtasn1; we already have the latest version, 4.19.0: https://ftp.gnu.org/gnu/libtasn1/ * gmp; we already have the latest version, 6.3.0: https://gmplib.org/#DOWNLOAD
Work on upgrading GnuTLS starts now after some delay. I have taken a look at the dependencies listed in comment 1, and both libtasn1 and gmp are still of the latest version. GnuTLS has received more fixes: 3.8.7: https://lists.gnupg.org/pipermail/gnutls-help/2024-August/004849.html 3.8.7.1: https://lists.gnupg.org/pipermail/gnutls-help/2024-August/004851.html Nettle is still at version 3.10.
The tarball for GnuTLS 3.8.7.1 contains a folder that isn't properly named. We can easily work around this, but it is worth a mention here, for visibility, just to make it clear that the workaround should be removed when possible.
(In reply to Alexander Zeijlon from comment #3) As a sanity check, I ran a diff between the unpacked folders for gnutls-3.8.7.tar.xz and gnutls-3.8.7.1.tar.xz. The latter contains the po-files mentioned in https://lists.gnupg.org/pipermail/gnutls-help/2024-August/004851.html.
We should probably also upgrade zlib. The newest release, zlib 1.3.1 fixes a CVE found in the minizip component. https://nvd.nist.gov/vuln/detail/CVE-2023-45853 To my knowledge, we aren't using the minizip component in ThinLinc, but let's upgrade anyway. Doesn't hurt to be a bit future proof.
Testing: ======== The server was set up to use our step-ca. The tlclient can read certs from a smart card reader, and these are also passed through to the running session. I also forced tlclient to use zlib compression by disabling JPEG compression and enabling SSH compression. Web access works without issues on: - Firefox 130 on Fedora 40 - Edge 129 on Windows 11 - Edge 129 on Windows 10 - Chrome 129 on Windows 10 - Safari 17.5 on macOS (x86) - Safari 17.5 on macOS (M1) - Safari on iOS 17.6.1 - Chrome 128 on Android No problems have been seen after the upgrade of GnuTLS, Nettle and Zlib. Everything seems to be working as expected.
(In reply to Alexander Zeijlon from comment #5) > We should probably also upgrade zlib. The newest release, zlib 1.3.1 fixes a > CVE found in the minizip component. > https://nvd.nist.gov/vuln/detail/CVE-2023-45853 > > To my knowledge, we aren't using the minizip component in ThinLinc, but > let's upgrade anyway. Doesn't hurt to be a bit future proof. I inspected the built cenbuild zlib package, and it does in fact not contain a minizip binary or library. Nevertheless, I saw that the CVE has been patched in the minizip source code.
Everything looks good, no issues found when testing!
The following CVE's were fixed between 3.8.2 and 3.8.7: 3.8.3 ====== * CVE-2024-0553 [1] This CVE is a follow-up to CVE-2023-5981, which was fixed when we upgraded to GnuTLS 3.8.2 in bug 8280. There still remains a timing side-channel vulnerability, which in theory makes it possible to leak sensitive data. This is quite complex to pull off in practice. * CVE-2024-0567 This vulnerability can cause a crash when validating certificate chains with a particular setup, using the tools 'cockpit' or 'certtool'. AFAIK, there is nothing ThinLinc specific that can trigger this bug. 3.8.4: ====== * CVE-2024-28834 [3] Affects the function gnutls_privkey_sign_data2(), which we don't use. * CVE-2024-28835 [4, 5] Affects the function gnutls_x509_trust_list_verify_crt2(), which we don't use. 3.8.5 - 3.8.7.1: ====== * No CVE patches. Overall, only CVE-2024-0553 affects ThinLinc, and an attack is unlikely to pull off over the internet, as it is very timing-sensitive. Zlib ==== In zlib 1.2.12, CVE-2022-37434 was fixed, which affects the function inflateGetHeader(), which we don't use. [1] https://gitlab.com/gnutls/gnutls/-/issues/1522 [2] https://gitlab.com/gnutls/gnutls/-/issues/1521 [3] https://gitlab.com/gnutls/gnutls/-/issues/1516 [4] https://gitlab.com/gnutls/gnutls/-/issues/1527 [5] https://gitlab.com/gnutls/gnutls/-/issues/1525
Tested build #3712 Tested web access on: ===================== * Firefox 131 on Windows 11 * Edge 129 on Windows 11 * Chrome 129 on Windows 11 * Safari 17.6.1 on iPadOS 17.6.1 * Chrome 129 on iPadOS 17.6.1 * Firefox 130.1 on iPadOS 17.6.1 * Firefox 130 on Android 13 * Edge 129 on Android 13 * Chrome 129 on Android 13 * Firefox 130 on macOS 15.0 * Edge 129 on macOS 15.0 * Chrome 129 on macOS 15.0 * Safari 18.0 on macOS 15.0 * Firefox 125 on Fedora 39 Tested web admin on: ==================== * Firefox 131 on Windows 11 * Edge 129 on Windows 11 * Chrome 129 on Windows 11 * Firefox 130 on macOS 15.0 * Edge 129 on macOS 15.0 * Chrome 129 on macOS 15.0 * Safari 18.0 on macOS 15.0 * Firefox 125 on Fedora 39 Everything works as expected. > MUST: > ✅ GnuTLS included in ThinLinc should not have any known security issues > affecting ThinLinc users There are no known vulnerabilities in the latest stable version of GnuTLS. > SHOULD: > ✅ The latest stable GnuTLS should be included in ThinLinc Indeed, we have the latest stable release. > EXTRA: > ✅ GnuTLS and its dependencies should be updated to their latest versions > (nettle, libtasn1, zlib and gmp) Everything has been updated to the latest versions. I'm leaving the bug as resolved, as there is still a comment regarding the release notes that hasn't been treated.
The release note has been removed, closing!
