-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] gnutls (SSA:2021-145-01)
New gnutls packages are available for Slackware 14.2 and -current to
fix security issues.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/gnutls-3.6.16-i586-1_slack14.2.txz: Upgraded.
Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle.
In GnuTLS, as long as it is built and linked against the fixed version of
Nettle, this only affects GOST curves. [CVE-2021-20305]
Fixed potential use-after-free in sending "key_share" and "pre_shared_key"
extensions. When sending those extensions, the client may dereference a
pointer no longer valid after realloc. This happens only when the client
sends a large Client Hello message, e.g., when HRR is sent in a resumed
session previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call realloc
(#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20305
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on https://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/gnutls-3.6.16-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/gnutls-3.6.16-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-3.6.16-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnutls-3.6.16-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.2 package:
e5e090aec3cb58a0827c439b147f390a gnutls-3.6.16-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
be595ec5fcdbca3785300b5afb522cbc gnutls-3.6.16-x86_64-1_slack14.2.txz
Slackware -current package:
31f28c68fa45993cbbf776e8c9617bef n/gnutls-3.6.16-i586-1.txz
Slackware x86_64 -current package:
8ad989f9a529c145019bb4b31dd7c749 n/gnutls-3.6.16-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg gnutls-3.6.16-i586-1_slack14.2.txz
+-----+
Slackware: 2021-145-01: gnutls Security Update
May 25, 2021
New gnutls packages are available for Slackware 14.2 and -current to fix security issues
Summary
Here are the details from the Slackware 14.2 ChangeLog:patches/packages/gnutls-3.6.16-i586-1_slack14.2.txz: Upgraded. Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle. In GnuTLS, as long as it is built and linked against the fixed version of Nettle, this only affects GOST curves. [CVE-2021-20305] Fixed potential use-after-free in sending "key_share" and "pre_shared_key" extensions. When sending those extensions, the client may dereference a pointer no longer valid after realloc. This happens only when the client sends a large Client Hello message, e.g., when HRR is sent in a resumed session previously negotiated large FFDHE parameters, because the initial allocation of the buffer is large enough without having to call realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low] For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20305 (* Security fix *)
Where Find New Packages
Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on https://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/gnutls-3.6.16-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/gnutls-3.6.16-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-3.6.16-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnutls-3.6.16-x86_64-1.txz
MD5 Signatures
Slackware 14.2 package:
e5e090aec3cb58a0827c439b147f390a gnutls-3.6.16-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
be595ec5fcdbca3785300b5afb522cbc gnutls-3.6.16-x86_64-1_slack14.2.txz
Slackware -current package:
31f28c68fa45993cbbf776e8c9617bef n/gnutls-3.6.16-i586-1.txz
Slackware x86_64 -current package:
8ad989f9a529c145019bb4b31dd7c749 n/gnutls-3.6.16-x86_64-1.txz
Severity
[slackware-security] gnutls (SSA:2021-145-01)
New gnutls packages are available for Slackware 14.2 and -current to fix security issues.
Installation Instructions
Installation instructions: Upgrade the package as root: # upgradepkg gnutls-3.6.16-i586-1_slack14.2.txz
News
HOWTOs
Features
Secure Linux Hosting for Businesses
What Is Threat Intelligence?
CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services
LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website
Biden's New Executive Cybersecurity Order Highlights the Power of Open-Source Security
About Us
Powered By
