SUSE Security Update: Security update for gnutls
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0320-1
Rating:             critical
References:         #536809 #554084 #659128 #739898 #753301 #754223 
                    #802651 #821818 #865804 #865993 
Cross-References:   CVE-2009-5138 CVE-2011-4108 CVE-2012-0390
                    CVE-2012-1569 CVE-2012-1573 CVE-2013-0169
                    CVE-2013-1619 CVE-2013-2116 CVE-2014-0092
                   
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that solves 9 vulnerabilities and has one errata
   is now available.

Description:


   The GnuTLS library received a critical security fix and
   other updates:

   * CVE-2014-0092: The X.509 certificate verification had
   incorrect error handling, which could lead to broken
   certificates marked as being valid.
   * CVE-2009-5138: A verification problem in handling V1
   certificates could also lead to V1 certificates incorrectly
   being handled.
   * CVE-2013-2116: The _gnutls_ciphertext2compressed
   function in lib/gnutls_cipher.c in GnuTLS allowed remote
   attackers to cause a denial of service (buffer over-read
   and crash) via a crafted padding length.
   * CVE-2013-1619: The TLS implementation in GnuTLS did
   not properly consider timing side-channel attacks on a
   noncompliant MAC check operation during the processing of
   malformed CBC padding, which allows remote attackers to
   conduct distinguishing attacks and plaintext-recovery
   attacks via statistical analysis of timing data for crafted
   packets, a related issue to CVE-2013-0169. (Lucky13)
   * CVE-2012-1569: The asn1_get_length_der function in
   decoding.c in GNU Libtasn1 , as used in GnuTLS did not
   properly handle certain large length values, which allowed
   remote attackers to cause a denial of service (heap memory
   corruption and application crash) or possibly have
   unspecified other impact via a crafted ASN.1 structure.
   * CVE-2012-1573: gnutls_cipher.c in libgnutls in GnuTLS
   did not properly handle data encrypted with a block cipher,
   which allowed remote attackers to cause a denial of service
   (heap memory corruption and application crash) via a
   crafted record, as demonstrated by a crafted
   GenericBlockCipher structure.
   * CVE-2012-0390: The DTLS implementation in GnuTLS
   executed certain error-handling code only if there is a
   specific relationship between a padding length and the
   ciphertext size, which made it easier for remote attackers   to recover partial plaintext via a timing side-channel
   attack, a related issue to CVE-2011-4108.

   Also some non security bugs have been fixed:

   * Did some more s390x size_t vs int fixes. (bnc#536809,
   bnc#659128)
   * re-enabled "legacy negotiation" (bnc#554084)
   * fix safe-renegotiation for sle10sp3 and sle10sp4 bug
   (bnc#554084)
   * fix bug bnc#536809, fix gnutls-cli to abort
   connection after detecting a bad certificate

   Security Issue references:

   * CVE-2009-5138
   
   * CVE-2011-4108
   
   * CVE-2012-0390
   
   * CVE-2012-1569
   
   * CVE-2012-1573
   
   * CVE-2013-0169
   
   * CVE-2013-1619
   
   * CVE-2013-2116
   
   * CVE-2014-0092
   



Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

      gnutls-1.2.10-13.38.1
      gnutls-devel-1.2.10-13.38.1

   - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

      gnutls-32bit-1.2.10-13.38.1
      gnutls-devel-32bit-1.2.10-13.38.1


References:

   https://www.suse.com/security/cve/CVE-2009-5138.html
   https://www.suse.com/security/cve/CVE-2011-4108.html
   https://www.suse.com/security/cve/CVE-2012-0390.html
   https://www.suse.com/security/cve/CVE-2012-1569.html
   https://www.suse.com/security/cve/CVE-2012-1573.html
   https://www.suse.com/security/cve/CVE-2013-0169.html
   https://www.suse.com/security/cve/CVE-2013-1619.html
   https://www.suse.com/security/cve/CVE-2013-2116.html
   https://www.suse.com/security/cve/CVE-2014-0092.html
   https://bugzilla.novell.com/536809
   https://bugzilla.novell.com/554084
   https://bugzilla.novell.com/659128
   https://bugzilla.novell.com/739898
   https://bugzilla.novell.com/753301
   https://bugzilla.novell.com/754223
   https://bugzilla.novell.com/802651
   https://bugzilla.novell.com/821818
   https://bugzilla.novell.com/865804
   https://bugzilla.novell.com/865993
   https://login.microfocus.com/nidp/app/login

SuSE: 2014:0320-1: critical: gnutls

March 4, 2014
An update that solves 9 vulnerabilities and has one errata An update that solves 9 vulnerabilities and has one errata An update that solves 9 vulnerabilities and has one errata is ...

Summary

The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. * CVE-2013-2116: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS allowed remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. * CVE-2013-1619: The TLS implementation in GnuTLS did not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. (Luc...

Read the Full Advisory

References

#536809 #554084 #659128 #739898 #753301 #754223

#802651 #821818 #865804 #865993

Cross- CVE-2009-5138 CVE-2011-4108 CVE-2012-0390

CVE-2012-1569 CVE-2012-1573 CVE-2013-0169

CVE-2013-1619 CVE-2013-2116 CVE-2014-0092

Affected Products:

SUSE Linux Enterprise Server 10 SP3 LTSS

https://www.suse.com/security/cve/CVE-2009-5138.html

https://www.suse.com/security/cve/CVE-2011-4108.html

https://www.suse.com/security/cve/CVE-2012-0390.html

https://www.suse.com/security/cve/CVE-2012-1569.html

https://www.suse.com/security/cve/CVE-2012-1573.html

https://www.suse.com/security/cve/CVE-2013-0169.html

https://www.suse.com/security/cve/CVE-2013-1619.html

https://www.suse.com/security/cve/CVE-2013-2116.html

https://www.suse.com/security/cve/CVE-2014-0092.html

https://bugzilla.novell.com/536809

https://bugzilla.novell.com/554084

https://bugzilla.novell.com/659128

https://bu...

Read the Full Advisory

Severity
Announcement ID: SUSE-SU-2014:0320-1
Rating: critical

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved