BugTraq
[ GLSA 201110-05 ] GnuTLS: Multiple vulnerabilities Oct 10 2011 09:59PM
Tobias Heinlein (keytoaster gentoo org)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GnuTLS: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #281224, #292025
ID: 201110-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in GnuTLS, allowing for easier
man-in-the-middle attacks.

Background
==========

GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0
protocols.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/gnutls < 2.10.0 >= 2.10.0

Description
===========

Multiple vulnerabilities have been discovered in GnuTLS. Please review
the CVE identifiers referenced below for details.

Impact
======

An attacker could perform man-in-the-middle attacks to spoof arbitrary
SSL servers via a crafted certificate issued by a legitimate
Certification Authority or to inject an arbitrary amount of chosen
plaintext into the beginning of the application protocol stream,
allowing for further exploitation.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GnuTLS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.10.0"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since August 6, 2010. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2009-2730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2730
[ 2 ] CVE-2009-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJOk2qsAAoJEByNLmvcM7Duw/UQAKC0rL/VTyxC1nDTeTsAt8+E
gEbjT2ssKWaD/GRUzGS4yaG8xGQyob6PH3SOZoKJp1A1pWx8rrBI0VPQZIDV3qB1
pr3pgjKpvm6Qr9jE2a2RaM5u8Xz5af6l4j/CjL04Gd+sRdjR5SxvBEu1tfjN8Ofz
gqKyKqf4TiGnIuf9rl2JVQLcCg43xDob8KcxTCddlYBz9nTR+IZ0+zbNJR3Ijgs2
iGg+TtwmSEs1+sbLf9q3ZKmk7BIjADidsG8KUG9UqJAoPQFszHUgZFb0GpUal6hp
6rmGwKal+m69WJ1zzEbTev5wZEbwPDt/v5QgN78Fx5Wa4fN7pjsslcV62VrX0Wzx
v6Y9lqmyqjNjQGuHP1z7jEH83ZJq0ZriZAHqn4GTy4cokZxzhxNxn6SFfwyYMtGJ
4itEbHmwlaSHychqZ32kzFkphT8Xf5UueEvCJXrNdB9fQ9X7FTmMJrXADWfGkCEO
xZExCEOeflV6n9wIhQOPmItY254fpwJE7wNy15ub2z/AxFVCVXpFun/MM2toWEAj
fVDy8O7TyDHlzOHRKF991i/+y7zxm2S3gMEkPliHGTg0J6X1NWuYEPYao3sOfQ/d
noVF2qxs05v8jpUtJSK0IXy5hCzWOjwX5mpR3NRT2GB34J/CZGvCzGjRN6ZXWvTh
mE5jbAEzSJ11FMPiUmJ4
=8aX5
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus