Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200905-04 ] GnuTLS: Multiple vulnerabilities
Date: Sun, 24 May 2009 13:36:12
Message-Id: 1243172031.23024.7.camel@localhost
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200905-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GnuTLS: Multiple vulnerabilities
9 Date: May 24, 2009
10 Bugs: #267774
11 ID: 200905-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities in GnuTLS might result in a Denial of Service,
19 spoofing or the generation of invalid keys.
20
21 Background
22 ==========
23
24 GnuTLS is an Open Source implementation of the TLS 1.0 and SSL 3.0
25 protocols.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-libs/gnutls < 2.6.6 >= 2.6.6
34
35 Description
36 ===========
37
38 The following vulnerabilities were found in GnuTLS:
39
40 * Miroslav Kratochvil reported that lib/pk-libgcrypt.c does not
41 properly handle corrupt DSA signatures, possibly leading to a
42 double-free vulnerability (CVE-2009-1415).
43
44 * Simon Josefsson reported that GnuTLS generates RSA keys stored in
45 DSA structures when creating a DSA key (CVE-2009-1416).
46
47 * Romain Francoise reported that the
48 _gnutls_x509_verify_certificate() function in lib/x509/verify.c does
49 not perform time checks, resulting in the "gnutls-cli" program
50 accepting X.509 certificates with validity times in the past or
51 future (CVE-2009-1417).
52
53 Impact
54 ======
55
56 A remote attacker could entice a user or automated system to process a
57 specially crafted DSA certificate, possibly resulting in a Denial of
58 Service condition. NOTE: This issue might have other unspecified impact
59 including the execution of arbitrary code. Furthermore, a remote
60 attacker could spoof signatures on certificates and the "gnutls-cli"
61 application can be tricked into accepting an invalid certificate.
62
63 Workaround
64 ==========
65
66 There is no known workaround at this time.
67
68 Resolution
69 ==========
70
71 All GnuTLS users should upgrade to the latest version:
72
73 # emerge --sync
74 # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.6.6"
75
76 References
77 ==========
78
79 [ 1 ] CVE-2009-1415
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
81 [ 2 ] CVE-2009-1416
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416
83 [ 3 ] CVE-2009-1417
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417
85
86 Availability
87 ============
88
89 This GLSA and any updates to it are available for viewing at
90 the Gentoo Security Website:
91
92 http://security.gentoo.org/glsa/glsa-200905-04.xml
93
94 Concerns?
95 =========
96
97 Security is a primary focus of Gentoo Linux and ensuring the
98 confidentiality and security of our users machines is of utmost
99 importance to us. Any security concerns should be addressed to
100 security@g.o or alternatively, you may file a bug at
101 http://bugs.gentoo.org.
102
103 License
104 =======
105
106 Copyright 2009 Gentoo Foundation, Inc; referenced text
107 belongs to its owner(s).
108
109 The contents of this document are licensed under the
110 Creative Commons - Attribution / Share Alike license.
111
112 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature