GnuTLS: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201206-18 / GnuTLS |
| Release Date |
June 23, 2012 |
| Latest Revision |
June 23, 2012: 1 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-libs/gnutls |
<
2.12.18 |
>=
2.12.18 |
All supported architectures
|
Related bugreports:
#281224, #292025, #389947, #409287
Synopsis
Multiple vulnerabilities have been found in GnuTLS, allowing a
remote attacker to perform man-in-the-middle or Denial of Service attacks.
2.
Impact Information
Background
GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0
protocols.
Description
Multiple vulnerabilities have been found in GnuTLS:
- An error in libgnutls does not properly sanitize "\0" characters from
certificate fields (CVE-2009-2730).
- An error in the TLS and SSL protocols mistreats renegotiation
handshakes (CVE-2009-3555).
- A boundary error in the "gnutls_session_get_data()" function in
gnutls_session.c could cause a buffer overflow (CVE-2011-4128).
- An error in the "_gnutls_ciphertext2compressed()" function in
gnutls_cipher.c could cause memory corruption (CVE-2012-1573).
Impact
A remote attacker could perform man-in-the-middle attacks to spoof
arbitrary SSL servers or cause a Denial of Service condition in
applications linked against GnuTLS.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All GnuTLS users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.12.18"
|
4.
References
|
