Ubuntu 14.04 LTS USN-3183-2 Critical: GnuTLS DoS Attack
Mar 20, 2017
•
LinuxSecurity Advisories
1 - 2 min read
Topics Covered
GnuTLS could be made to hang if it received specially crafted network traffic.
=========================================================================Ubuntu Security Notice USN-3183-2 March 20, 2017 gnutls26 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: GnuTLS could be made to hang if it received specially crafted network traffic. Software Description: - gnutls26: GNU TLS library Details: USN-3183-1 fixed CVE-2016-8610 in GnuTLS in Ubuntu 16.04 LTS and Ubuntu 16.10. This update provides the corresponding update for Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Original advisory details: Stefan Buehler discovered that GnuTLS incorrectly verified the serial length of OCSP responses. A remote attacker could possibly use this issue to bypass certain certificate validation measures. This issue only applied to Ubuntu 16.04 LTS. (CVE-2016-7444) Shi Lei discovered that GnuTLS incorrectly handled certain warning alerts. A remote attacker could possibly use this issue to cause GnuTLS to hang, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8610) It was discovered that GnuTLS incorrectly decoded X.509 certificates with a Proxy Certificate Information extension. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-5334) It was discovered that GnuTLS incorrectly handled certain OpenPGP certificates. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-5335, CVE-2017-5336, CVE-2017-5337) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libgnutls26 2.12.23-12ubuntu2.7 Ubuntu 12.04 LTS: libgnutls26 2.12.14-5ubuntu3.14 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3183-2 https://ubuntu.com/security/notices/USN-3183-1 CVE-2016-8610 Package Information: https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.7 https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.14
PREVIOUS
NEXT
Ubuntu 14.04 LTS USN-3183-2 Critical: GnuTLS DoS Attack
ubuntu
March 20, 2017
GnuTLS could be made to hang if it received specially crafted network traffic.
Summary
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libgnutls26 2.12.23-12ubuntu2.7 Ubuntu 12.04 LTS: libgnutls26 2.12.14-5ubuntu3.14 In general, a standard system update will make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-3183-2
https://ubuntu.com/security/notices/USN-3183-1
CVE-2016-8610
Severity
critical
Lowest
Low
Medium
High
Critical
March 20, 2017
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.7 https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.14
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!