LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2010

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: gnutls on SL4.x, SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 25 Mar 2010 11:09:49 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (66 lines)

Synopsis:	Moderate: gnutls security update
Issue date:	2010-03-25
CVE Names:	CVE-2009-2409 CVE-2009-3555 CVE-2010-0731

CVE-2009-3555 TLS: MITM attacks via session renegotiation
CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial 
decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A 
man-in-the-middle attacker could use this flaw to prefix arbitrary plain 
text to a client's session (for example, an HTTPS connection to a 
website). This could force the server to process an attacker's request 
as if authenticated using the victim's credentials. This update 
addresses this flaw by implementing the TLS Renegotiation Indication 
Extension, as defined in RFC 5746. (CVE-2009-3555)

Refer to the following Knowledgebase article for additional details 
about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. 
GnuTLS now disables the use of the MD2 algorithm inside signatures by 
default. (CVE-2009-2409) SL5 Only

A flaw was found in the way GnuTLS extracted serial numbers from X.509
certificates. On 64-bit big endian platforms, this flaw could cause the
certificate revocation list (CRL) check to be bypassed; cause various
GnuTLS utilities to crash; or, possibly, execute arbitrary code.
(CVE-2010-0731) SL4 Only

For the update to take effect, all applications linked to the GnuTLS 
library must be restarted, or the system rebooted.

SL 4.x

      SRPMS:
gnutls-1.0.20-4.el4_8.7.src.rpm
      i386:
gnutls-1.0.20-4.el4_8.7.i386.rpm
gnutls-devel-1.0.20-4.el4_8.7.i386.rpm
      x86_64:
gnutls-1.0.20-4.el4_8.7.i386.rpm
gnutls-1.0.20-4.el4_8.7.x86_64.rpm
gnutls-devel-1.0.20-4.el4_8.7.x86_64.rpm

SL 5.x

      SRPMS:
gnutls-1.4.1-3.el5_4.8.src.rpm
      i386:
gnutls-1.4.1-3.el5_4.8.i386.rpm
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm
gnutls-utils-1.4.1-3.el5_4.8.i386.rpm
      x86_64:
gnutls-1.4.1-3.el5_4.8.i386.rpm
gnutls-1.4.1-3.el5_4.8.x86_64.rpm
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm
gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm
gnutls-utils-1.4.1-3.el5_4.8.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV