Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

Ubuntu 16.04 LTS USN-3183-1 Critical GnuTLS Remote Attack Advisory

ubuntu
Calendar Grey February 1, 2017
Scroller Ubuntu Esm H88
A security review has revealed critical vulnerabilities in GnuTLS affecting multiple Ubuntu LTS versions. Timely updates are essential to protect against remote attacks.
Several security issues were fixed in GnuTLS.

Summary

Several security issues were fixed in GnuTLS.

Software Description:

- gnutls28: GNU TLS library

- gnutls26: GNU TLS library

Details:

Stefan Buehler discovered that GnuTLS incorrectly verified the serial

length of OCSP responses. A remote attacker could possibly use this issue

to bypass certain certificate validation measures. This issue only applied

to Ubuntu 16.04 LTS. (CVE-2016-7444)

Shi Lei discovered that GnuTLS incorrectly handled certain warning alerts.

A remote attacker could possibly use this issue to cause GnuTLS to hang,

resulting in a denial of service. This issue has only been addressed in

Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8610)

It was discovered that GnuTLS incorrectly decoded X.509 certificates with a

Proxy Certificate Information extension. A remote attacker could use this

issue to cause GnuTLS to crash, resulting in a denial of service, or

possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS

and Ubuntu 16....

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  libgnutls30                     3.5.3-5ubuntu1.1

Ubuntu 16.04 LTS:
  libgnutls30                     3.4.10-4ubuntu1.2

Ubuntu 14.04 LTS:
  libgnutls26                     2.12.23-12ubuntu2.6

Ubuntu 12.04 LTS:
  libgnutls26                     2.12.14-5ubuntu3.13

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3183-1

CVE-2016-7444, CVE-2016-8610, CVE-2017-5334, CVE-2017-5335,

CVE-2017-5336, CVE-2017-5337

Severity
critical
Lowest
Low
Medium
High
Critical

February 01, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.