-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  gnutls (SSA:2008-315-01)

New gnutls packages are available for Slackware 12.0, 12.1, and -current to
fix a security issue.

NOTE:  The package for 12.0 has a different shared library soname, and the
packages for 12.1 and -current have an API/ABI change.  Only the Pidgin package
in Slackware links with GnuTLS, and upgraded Pidgin packages have also been
made available.  However, if the updated GnuTLS package is installed any other
custom-compiled software that uses GnuTLS may need to be recompiled.

More details about this issue will become available in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989


Here are the details from the Slackware 12.1 ChangeLog:
+--------------------------+
patches/packages/gnutls-2.6.1-i486-1_slack12.1.tgz:
  Upgraded to gnutls-2.6.1.
  From the gnutls-2.6.1 NEWS file:
    ** libgnutls: Fix X.509 certificate chain validation error.
    [GNUTLS-SA-2008-3]  The flaw makes it possible for man in the middle
    attackers (i.e., active attackers) to assume any name and trick GNU TLS
    clients into trusting that name.  Thanks for report and analysis from
    Martin von Gagern .  [CVE-2008-4989]
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
  IMPORTANT NOTE:  This update modifies the API and ABI for the
  gnutls_pk_params_st function.  Any software that uses the function will
  need to be recompiled.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

HINT:  Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try.  This is another primary FTP site
for Slackware that can be considerably faster than downloading
directly from ftp.slackware.com.

Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating additional FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.

Updated package for Slackware 12.0:

Updated package for Slackware 12.1:

Updated package for Slackware -current:


MD5 signatures:
+-------------+

Slackware 12.0 package:
b2f8679618d7bca27161ee9e77e40be7  gnutls-2.6.1-i486-1_slack12.0.tgz

Slackware 12.1 package:
d71c4984aeb90571d57d55129913fa19  gnutls-2.6.1-i486-1_slack12.1.tgz

Slackware -current package:
a8bb0f8f70b96135a69e3eba04122e7a  gnutls-2.6.1-i486-1.tgz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg gnutls-2.6.1-i486-1_slack12.1.tgz

Also install the new Pidgin package if you use it.  Slackware 12.0 will
require a recompile of any locally compiled GnuTLS linked packages.
Recompiling locally compiled GnuTLS linked software is also recommended
with Slackware 12.1 and -current, although it is probable that a lot of
software would work without a recompile since only a single function
(gnutls_pk_params_st) was changed.


+-----+

Slackware: 2008-315-01: gnutls Security Update

November 11, 2008
New gnutls packages are available for Slackware 12.0, 12.1, and -current to fix a security issue

Summary

Here are the details from the Slackware 12.1 ChangeLog: patches/packages/gnutls-2.6.1-i486-1_slack12.1.tgz: Upgraded to gnutls-2.6.1. From the gnutls-2.6.1 NEWS file: ** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3] The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern . [CVE-2008-4989] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 IMPORTANT NOTE: This update modifies the API and ABI for the gnutls_pk_params_st function. Any software that uses the function will need to be recompiled. (* Security fix *)

Where Find New Packages

HINT: Getting slow download speeds from ftp.slackware.com? Give slackware.osuosl.org a try. This is another primary FTP site for Slackware that can be considerably faster than downloading directly from ftp.slackware.com.
Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating additional FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 12.0:
Updated package for Slackware 12.1:
Updated package for Slackware -current:

MD5 Signatures

Slackware 12.0 package: b2f8679618d7bca27161ee9e77e40be7 gnutls-2.6.1-i486-1_slack12.0.tgz
Slackware 12.1 package: d71c4984aeb90571d57d55129913fa19 gnutls-2.6.1-i486-1_slack12.1.tgz
Slackware -current package: a8bb0f8f70b96135a69e3eba04122e7a gnutls-2.6.1-i486-1.tgz

Severity
[slackware-security] gnutls (SSA:2008-315-01)
New gnutls packages are available for Slackware 12.0, 12.1, and -current to fix a security issue.
NOTE: The package for 12.0 has a different shared library soname, and the packages for 12.1 and -current have an API/ABI change. Only the Pidgin package in Slackware links with GnuTLS, and upgraded Pidgin packages have also been made available. However, if the updated GnuTLS package is installed any other custom-compiled software that uses GnuTLS may need to be recompiled.
More details about this issue will become available in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg gnutls-2.6.1-i486-1_slack12.1.tgz Also install the new Pidgin package if you use it. Slackware 12.0 will require a recompile of any locally compiled GnuTLS linked packages. Recompiling locally compiled GnuTLS linked software is also recommended with Slackware 12.1 and -current, although it is probable that a lot of software would work without a recompile since only a single function (gnutls_pk_params_st) was changed.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved