Gentoo Archives: gentoo-announce

From: Matthias Geerdsen <vorlon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200505-04 ] GnuTLS: Denial of Service vulnerability
Date: Mon, 09 May 2005 08:44:00
Message-Id: 20050509084354.GA5564@kosh.atw.wh.local
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200505-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GnuTLS: Denial of Service vulnerability
9 Date: May 09, 2005
10 Bugs: #90726
11 ID: 200505-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The GnuTLS library is vulnerable to Denial of Service attacks.
19
20 Background
21 ==========
22
23 GnuTLS is a free TLS 1.0 and SSL 3.0 implementation for the GNU
24 project.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-libs/gnutls < 1.2.3 >= 1.2.3
33 *>= 1.0.25
34
35 Description
36 ===========
37
38 A vulnerability has been discovered in the record packet parsing in the
39 GnuTLS library. Additionally, a flaw was also found in the RSA key
40 export functionality.
41
42 Impact
43 ======
44
45 A remote attacker could exploit this vulnerability and cause a Denial
46 of Service to any application that utilizes the GnuTLS library.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All GnuTLS users should remove the existing installation and upgrade to
57 the latest version:
58
59 # emerge --sync
60 # emerge --unmerge gnutls
61 # emerge --ask --oneshot --verbose net-libs/gnutls
62
63 Due to small API changes with the previous version, please do the
64 following to ensure your applications are using the latest GnuTLS that
65 you just emerged.
66
67 # revdep-rebuild --soname-regexp libgnutls.so.1[0-1]
68
69 Previously exported RSA keys can be fixed by executing the following
70 command on the key files:
71
72 # certtool -k infile outfile
73
74 References
75 ==========
76
77 [ 1 ] GnuTLS Announcement
78 http://lists.gnupg.org/pipermail/gnutls-dev/2005-April/000858.html
79 [ 2 ] CAN-2005-1431
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1431
81
82 Availability
83 ============
84
85 This GLSA and any updates to it are available for viewing at
86 the Gentoo Security Website:
87
88 http://security.gentoo.org/glsa/glsa-200505-04.xml
89
90 Concerns?
91 =========
92
93 Security is a primary focus of Gentoo Linux and ensuring the
94 confidentiality and security of our users machines is of utmost
95 importance to us. Any security concerns should be addressed to
96 security@g.o or alternatively, you may file a bug at
97 http://bugs.gentoo.org.
98
99 License
100 =======
101
102 Copyright 2005 Gentoo Foundation, Inc; referenced text
103 belongs to its owner(s).
104
105 The contents of this document are licensed under the
106 Creative Commons - Attribution / Share Alike license.
107
108 http://creativecommons.org/licenses/by-sa/2.0