Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
98
security advisorymoderatebug fixRed Hat Enterprise Linux: RHSA-2019-3699 Moderate Advisory on Evolution
An update for evolution, evolution-data-server, and evolution-ews is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which . -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: evolution security and bug fix update Advisory ID: RHSA-2019:3699-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3699 Issue date: 2019-11-05 CVE Names: CVE-2019-3890 ==================================================================== 1. Summary: An update for evolution, evolution-data-server, and evolution-ews is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - noarch, ppc64le, x86_64 3. Description: Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. Security Fix(es): * evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified. (CVE-2019-3890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the RedHat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Evolution must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1678313 - CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified. 1713619 - [abrt] test-cal-client-get-revision could fail due to delayed D-Bus property change notification 1724232 - Help Contents (F1) has a bad link to GNOME site 1724984 - [ECompEditor] Ensure attendee changes stored before save 6. Package List: Red Hat Enterprise Linux AppStream (v.8): Source: evolution-3.28.5-9.el8.src.rpm evolution-data-server-3.28.5-11.el8.src.rpm evolution-ews-3.28.5-5.el8.src.rpm noarch: evolution-data-server-langpacks-3.28.5-11.el8.noarch.rpm evolution-ews-langpacks-3.28.5-5.el8.noarch.rpm evolution-help-3.28.5-9.el8.noarch.rpm evolution-langpacks-3.28.5-9.el8.noarch.rpm ppc64le: evolution-3.28.5-9.el8.ppc64le.rpm evolution-bogofilter-3.28.5-9.el8.ppc64le.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-data-server-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm evolution-data-server-devel-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-debugsource-3.28.5-9.el8.ppc64le.rpm evolution-ews-3.28.5-5.el8.ppc64le.rpm evolution-ews-debuginfo-3.28.5-5.el8.ppc64le.rpm evolution-ews-debugsource-3.28.5-5.el8.ppc64le.rpm evolution-pst-3.28.5-9.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm x86_64: evolution-3.28.5-9.el8.x86_64.rpm evolution-bogofilter-3.28.5-9.el8.x86_64.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-data-server-3.28.5-11.el8.i686.rpm evolution-data-server-3.28.5-11.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm evolution-data-server-devel-3.28.5-11.el8.i686.rpm evolution-data-server-devel-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-debugsource-3.28.5-9.el8.x86_64.rpm evolution-ews-3.28.5-5.el8.x86_64.rpm evolution-ews-debuginfo-3.28.5-5.el8.x86_64.rpm evolution-ews-debugsource-3.28.5-5.el8.x86_64.rpm evolution-pst-3.28.5-9.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm Red Hat CodeReady Linux Builder (v.8): noarch: evolution-data-server-doc-3.28.5-11.el8.noarch.rpm ppc64le: evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm evolution-data-server-perl-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-debugsource-3.28.5-9.el8.ppc64le.rpm evolution-devel-3.28.5-9.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm x86_64: evolution-bogofilter-debuginfo-3.28.5-9.el8.i686.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm evolution-data-server-perl-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-3.28.5-11.el8.i686.rpm evolution-data-server-tests-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-debuginfo-3.28.5-9.el8.i686.rpm evolution-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-debugsource-3.28.5-9.el8.i686.rpm evolution-debugsource-3.28.5-9.el8.x86_64.rpm evolution-devel-3.28.5-9.el8.i686.rpm evolution-devel-3.28.5-9.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-9.el8.i686.rpm evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.i686.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7.References: https://access.redhat.com/security/cve/CVE-2019-3890 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE-----Version: GnuPG v1 iQIVAwUBXcHza9zjgjWX9erEAQjMwBAAmWSC5AVB5A6rOjhyljU7+YPOVyz1Sxkb 28K26IIVyD4IuGO7n6Ge1L3/u37NVkTlquPKxqqdW70Cw7pKVkBxxdFF/14czTAD SldbEteKY4dT+uAihPRKQMoFTggtJbzBGjr7ikVg0b+hZW+b3AXhYLtC0HMiy1BQ 21ZpqwsOTNm7KvnBjGptbJyHEc8LCwuckONhO8IhEHqw8DkmlIlcS3CH1zZr2IwO Asw+3ixk9uQH+vDWGvlBe+XXpPY/6mhUbFRuvAaEvK80eH02LTRXGwCHYUf3ZRvx Fms5v5TM9M1FB6qkb/nRLh9Gl83BWeOiVOzhWvxMpInqDn21MMMoYvpFlqOmWyU9 znLbCiM60x/agwaMhXadCO2ZjxV+Y/in6HfcIn2SWFA0J4bMvTXLxpf9uIKP1sUj my8Q/aGyskdY1fMZ9eQqDNOqdKDA2Iax1S3Q6EeHbM9FkfM5x2ynrykV4IdI8t8P IX6M4fe4BXRaHj9lvn0VC6Me0bP+LU+Q4OSqLkKKUSS0v/3TINk6HcjRHuh0ZJGa fdFVlw7KuA5292wSkgXJNTvAnLNlbq1OH35fXLDQLxfNhotuX8kiOV9TeBXhK/aT GTMvrsdSI4985duDLZa2wuFRNhvgyMTwTZ+IGuAe90zl6wTfHAFLIaCG039i7dsN OEeMg9PzziI=P/Fg -----END PGP SIGNATURE-------RHSA-announce mailing list
Nov 05, 2019
Red Hat
91
security advisorygentoonormal severityGentoo: GLSA-201703-04 Normal: cURL Certificate Validation Issue
A coding error has been found in cURL, causing the TLS Certificate Status Request extension check to always return true.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cURL: Certificate validation error Date: March 28, 2017 Bugs: #610572 ID: 201703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A coding error has been found in cURL, causing the TLS Certificate Status Request extension check to always return true. Background ========= cURL is a tool and libcurl is a library for transferring data with URL syntax. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.53.0 > = 7.53.0 Description ========== cURL and applications linked against libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, cURL is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Impact ===== Due to the error, a user maybe does not detect when a server's certificate goes invalid or otherwise be mislead that the server isin a better shape than it is in reality. Workaround ========= There is no known workaround at this time. Resolution ========= All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-misc/curl-7.53.0" References ========= [ 1 ] CVE-2017-2629 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2629 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201703-04 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Mar 28, 2017
Gentoo
100
security advisorycriticalsoftware updateSUSE 10 SP4 LTSS: SUSE-SU-2014:0321-1 Critical: GnuTLS Cert Error
An update that solves one vulnerability and has one errata An update that solves one vulnerability and has one errata An update that solves one vulnerability and has one errata is now available. is now available.. SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0321-1 Rating: critical References: #865804 #865993 Cross-References: CVE-2014-0092 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Security Issue references: * CVE-2014-0092 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.38.1 gnutls-devel-1.2.10-13.38.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.38.1 gnutls-devel-32bit-1.2.10-13.38.1 References: https://www.suse.com/security/cve/CVE-2014-0092.html . SUSE Security Update: Update details for glibc Announcement ID:SUSE-SU-2023:0456-1 Severity:high. Gnutls Security Fix, SUSE Update Details, Critical Security Issues, Package Updates. . Severity: Critical. LinuxSecurity.com Team
Mar 04, 2014
•Critical
SuSE
98
security advisoryRed Hat Enterprise Linuxsecurity impactUrgent Update: GnuTLS Certificate Vulnerability in RHEL 6 RHSA-2014:0246-01
Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2014:0246-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:0246.html Issue date: 2014-03-03 CVE Names: CVE-2014-0092 ==================================================================== 1. Summary: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) TheCVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v.6): Source: x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm ppc64: gnutls-2.8.5-13.el6_5.ppc.rpm gnutls-2.8.5-13.el6_5.ppc64.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc64.rpm gnutls-devel-2.8.5-13.el6_5.ppc.rpm gnutls-devel-2.8.5-13.el6_5.ppc64.rpm gnutls-utils-2.8.5-13.el6_5.ppc64.rpm s390x: gnutls-2.8.5-13.el6_5.s390.rpm gnutls-2.8.5-13.el6_5.s390x.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390x.rpm gnutls-devel-2.8.5-13.el6_5.s390.rpm gnutls-devel-2.8.5-13.el6_5.s390x.rpm gnutls-utils-2.8.5-13.el6_5.s390x.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm ppc64: gnutls-debuginfo-2.8.5-13.el6_5.ppc.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc64.rpm gnutls-guile-2.8.5-13.el6_5.ppc.rpm gnutls-guile-2.8.5-13.el6_5.ppc64.rpm s390x: gnutls-debuginfo-2.8.5-13.el6_5.s390.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390x.rpm gnutls-guile-2.8.5-13.el6_5.s390.rpm gnutls-guile-2.8.5-13.el6_5.s390x.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v.6): Source: i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-0092 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . The advisory from Red Hat outlines an important patch for gnutls that resolves vulnerabilities related to the verification of X.509 certificates.. GnuTLS Update, Red Hat Enterprise Linux, Important Security Patch. . Severity: Important. LinuxSecurity.com Team
Mar 03, 2014
•Important
Red Hat
87
security advisorydebianremote accessDebian: DSA-2573-1 Moderate: Radsecproxy SSL Verification Flaw
Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up pre- and post-handshake verification of clients. This vulnerability may wrongly accept clients without checking their certificate chain under certain configurations. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2573-1
Nov 10, 2012
•Important
Debian
91
security advisoryGentooman-in-the-middleGentoo Linux GLSA 200910-01 Normal: Wget Man-in-the-Middle Risk
An error in the X.509 certificate handling of Wget might enable remote attackers to conduct man-in-the-middle attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200910-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wget: Certificate validation error Date: October 20, 2009 Bugs: #286058 ID: 200910-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An error in the X.509 certificate handling of Wget might enable remote attackers to conduct man-in-the-middle attacks. Background ========= GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/wget < 1.12 > = 1.12 Description ========== The vendor reported that Wget does not properly handle Common Name (CN) fields in X.509 certificates that contain an ASCII NUL (\0) character. Specifically, the processing of such fields is stopped at the first occurrence of a NUL character. This type of vulnerability was recently discovered by Dan Kaminsky and Moxie Marlinspike. Impact ===== A remote attacker might employ a specially crafted X.509 certificate, containing a NUL character in the Common Name field to conduct man-in-the-middle attacks on SSL connections made using Wget. Workaround ========= There is no known workaround at this time. Resolution ========= All Wget users should upgrade to the latest version: # emerge --sync # emerge --ask--oneshot --verbose =net-misc/wget-1.12 References ========= [ 1 ] CVE-2009-3490 https://www.cve.org/CVERecord?id=CVE-2009-3490 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200910-01 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Oct 20, 2009
Gentoo
91
security advisorygentooman-in-the-middleGentoo 200902-02 Normal: OpenSSL Certificate Validation Error
An error in the OpenSSL certificate chain validation might allow for spoofing attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Certificate validation error Date: February 12, 2009 Bugs: #251346 ID: 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An error in the OpenSSL certificate chain validation might allow for spoofing attacks. Background ========= OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 0.9.8j > = 0.9.8j Description ========== The Google Security Team reported that several functions incorrectly check the result after calling the EVP_VerifyFinal() function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS. Impact ===== A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information. Workaround ========= There is no known workaround at this time. Resolution ========= All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/openssl-0.9.8j" References ========= [ 1 ]CVE-2008-5077 https://www.cve.org/CVERecord?id=CVE-2008-5077 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200902-02 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Feb 12, 2009
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!