Alerts This Week
Warning Icon 1 540
Alerts This Week
Warning Icon 1 540

Gentoo: 201206-18 Normal: GnuTLS Remote Attacks and DoS Threat

gentoo
Calendar Grey June 23, 2012
Dist Gentoo Esm H88
Several security flaws in GnuTLS enable remote threats, including man-in-the-middle assaults or denial-of-service attacks. It is advised to update for enhanced security.
Multiple vulnerabilities have been found in GnuTLS, allowing a remote attacker to perform man-in-the-middle or Denial of Service attacks.

Summary

Multiple vulnerabilities have been found in GnuTLS: * An error in libgnutls does not properly sanitize "\0" characters from certificate fields (CVE-2009-2730). * An error in the TLS and SSL protocols mistreats renegotiation handshakes (CVE-2009-3555). * A boundary error in the "gnutls_session_get_data()" function in gnutls_session.c could cause a buffer overflow (CVE-2011-4128). * An error in the "_gnutls_ciphertext2compressed()" function in gnutls_cipher.c could cause memory corruption (CVE-2012-1573).

Topics%20covered

Topics Covered

security advisory Gentoo remote attack Denial of Service normal GnuTLS

Resolution

All GnuTLS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.12.18"

References

[ 1 ] CVE-2009-2730 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2730 [ 2 ] CVE-2009-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555 [ 3 ] CVE-2011-4128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4128 [ 4 ] CVE-2012-1573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1573

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201206-18
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: GnuTLS: Multiple vulnerabilities
Date: June 23, 2012
Bugs: #281224, #292025, #389947, #409287
ID: 201206-18

Topics%20covered

Topics Covered

security advisory Gentoo remote attack Denial of Service normal GnuTLS

Synopsis

Multiple vulnerabilities have been found in GnuTLS, allowing a remote attacker to perform man-in-the-middle or Denial of Service attacks.

Background

GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0 protocols.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/gnutls < 2.12.18 >= 2.12.18

Impact

===== A remote attacker could perform man-in-the-middle attacks to spoof arbitrary SSL servers or cause a Denial of Service condition in applications linked against GnuTLS.

Workaround

There is no known workaround at this time.

Related News

Your message here