Synopsis:          Moderate: gnutls security, bug fix, and enhancement 

Advisory ID:       SLSA-2017:2292-1

Issue Date:        2017-08-01

CVE Numbers:       CVE-2017-5337

                   CVE-2017-5335

                   CVE-2017-5336

                   CVE-2016-7444

                   CVE-2017-5334

                   CVE-2017-7869

                   CVE-2017-7507

--



The following packages have been upgraded to a later upstream version:

gnutls (3.3.26).



Security Fix(es):



* A double-free flaw was found in the way GnuTLS parsed certain X.509

certificates with Proxy Certificate Information extension. An attacker

could create a specially-crafted certificate which, when processed by an

application compiled against GnuTLS, could cause that application to

crash. (CVE-2017-5334)



* Multiple flaws were found in the way gnutls processed OpenPGP

certificates. An attacker could create specially crafted OpenPGP

certificates which, when parsed by gnutls, would cause it to crash.

(CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, CVE-2017-7869)



* A null pointer dereference flaw was found in the way GnuTLS processed

ClientHello messages with status_request extension. A remote attacker

could use this flaw to cause an application compiled with GnuTLS to crash.

(CVE-2017-7507)



* A flaw was found in the way GnuTLS validated certificates using OCSP

responses. This could falsely report a certificate as valid under certain

circumstances. (CVE-2016-7444)

--



SL7

  x86_64

    gnutls-3.3.26-9.el7.i686.rpm

    gnutls-3.3.26-9.el7.x86_64.rpm

    gnutls-dane-3.3.26-9.el7.i686.rpm

    gnutls-dane-3.3.26-9.el7.x86_64.rpm

    gnutls-debuginfo-3.3.26-9.el7.i686.rpm

    gnutls-debuginfo-3.3.26-9.el7.x86_64.rpm

    gnutls-utils-3.3.26-9.el7.x86_64.rpm

    gnutls-c++-3.3.26-9.el7.i686.rpm

    gnutls-c++-3.3.26-9.el7.x86_64.rpm

    gnutls-devel-3.3.26-9.el7.i686.rpm

    gnutls-devel-3.3.26-9.el7.x86_64.rpm



- Scientific Linux Development Team