SUSE-SU-2015:0675-1

Опубликовано: 03 июн. 2014

Источник: suse-cvrf

Описание

Security update for gnutls

GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally, three issues inherited from libtasn1 have been fixed.

Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 http://www.gnutls.org/security.html#GNUTLS-SA-2014-3

These security issues have been fixed:

* Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469)

Security Issue references:

* CVE-2014-3466 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466>

Список пакетов

SUSE Linux Enterprise Desktop 11 SP3

gnutls-2.4.1-24.39.51.1

libgnutls26-2.4.1-24.39.51.1

libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3

libgnutls-extra26-2.4.1-24.39.51.1

SUSE Linux Enterprise Server 11 SP3

gnutls-2.4.1-24.39.51.1

libgnutls-extra26-2.4.1-24.39.51.1

libgnutls26-2.4.1-24.39.51.1

libgnutls26-32bit-2.4.1-24.39.51.1

libgnutls26-x86-2.4.1-24.39.51.1

SUSE Linux Enterprise Server 11 SP3-TERADATA

gnutls-2.4.1-24.39.51.1

libgnutls-extra26-2.4.1-24.39.51.1

libgnutls26-2.4.1-24.39.51.1

libgnutls26-32bit-2.4.1-24.39.51.1

libgnutls26-x86-2.4.1-24.39.51.1

SUSE Linux Enterprise Server for SAP Applications 11 SP3

gnutls-2.4.1-24.39.51.1

libgnutls-extra26-2.4.1-24.39.51.1

libgnutls26-2.4.1-24.39.51.1

libgnutls26-32bit-2.4.1-24.39.51.1

libgnutls26-x86-2.4.1-24.39.51.1

SUSE Linux Enterprise Software Development Kit 11 SP3

libgnutls-devel-2.4.1-24.39.51.1

libgnutls-extra-devel-2.4.1-24.39.51.1

libgnutls-extra26-2.4.1-24.39.51.1

SUSE Manager 1.7

gnutls-2.4.1-24.39.51.1

libgnutls-extra26-2.4.1-24.39.51.1

libgnutls26-2.4.1-24.39.51.1

libgnutls26-32bit-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/support/update/announcement/2015/suse-su-20150675-1/
Link for SUSE-SU-2015:0675-1
https://lists.suse.com/pipermail/sle-security-updates/2015-April/001333.html
E-Mail link for SUSE-SU-2015:0675-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/821818
SUSE Bug 821818
https://bugzilla.suse.com/835760
SUSE Bug 835760
https://bugzilla.suse.com/865804
SUSE Bug 865804
https://bugzilla.suse.com/865993
SUSE Bug 865993
https://bugzilla.suse.com/880730
SUSE Bug 880730
https://bugzilla.suse.com/880910
SUSE Bug 880910
https://bugzilla.suse.com/919938
SUSE Bug 919938
https://bugzilla.suse.com/921684
SUSE Bug 921684
https://www.suse.com/security/cve/CVE-2009-5138/
SUSE CVE CVE-2009-5138 page
https://www.suse.com/security/cve/CVE-2013-2116/
SUSE CVE CVE-2013-2116 page
https://www.suse.com/security/cve/CVE-2014-0092/
SUSE CVE CVE-2014-0092 page
https://www.suse.com/security/cve/CVE-2014-3466/
SUSE CVE CVE-2014-3466 page
https://www.suse.com/security/cve/CVE-2014-8155/
SUSE CVE CVE-2014-8155 page
https://www.suse.com/security/cve/CVE-2015-0282/
SUSE CVE CVE-2015-0282 page
https://www.suse.com/security/cve/CVE-2015-0294/
SUSE CVE CVE-2015-0294 page

Описание

GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2009-5138.html
CVE-2009-5138
https://bugzilla.suse.com/865993
SUSE Bug 865993

Описание

The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2013-2116.html
CVE-2013-2116
https://bugzilla.suse.com/821818
SUSE Bug 821818

Описание

lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2014-0092.html
CVE-2014-0092
https://bugzilla.suse.com/865804
SUSE Bug 865804
https://bugzilla.suse.com/915878
SUSE Bug 915878

Описание

Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2014-3466.html
CVE-2014-3466
https://bugzilla.suse.com/880730
SUSE Bug 880730

Описание

GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2014-8155.html
CVE-2014-8155
https://bugzilla.suse.com/920366
SUSE Bug 920366

Описание

GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2015-0282.html
CVE-2015-0282
https://bugzilla.suse.com/919938
SUSE Bug 919938
https://bugzilla.suse.com/921684
SUSE Bug 921684

Описание

GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.

Затронутые продукты

SUSE Linux Enterprise Desktop 11 SP3:gnutls-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-2.4.1-24.39.51.1

SUSE Linux Enterprise Desktop 11 SP3:libgnutls26-32bit-2.4.1-24.39.51.1

SUSE Linux Enterprise High Availability Extension 11 SP3:libgnutls-extra26-2.4.1-24.39.51.1

Ссылки

https://www.suse.com/security/cve/CVE-2015-0294.html
CVE-2015-0294
https://bugzilla.suse.com/919938
SUSE Bug 919938

SUSE-SU-2015:0675-1

Описание

Список пакетов

SUSE Linux Enterprise Desktop 11 SP3

SUSE Linux Enterprise High Availability Extension 11 SP3

SUSE Linux Enterprise Server 11 SP3

SUSE Linux Enterprise Server 11 SP3-TERADATA

SUSE Linux Enterprise Server for SAP Applications 11 SP3

SUSE Linux Enterprise Software Development Kit 11 SP3

SUSE Manager 1.7

Ссылки

Уязвимость: CVE-2009-5138

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2013-2116

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2014-0092

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2014-3466

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2014-8155

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2015-0282

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2015-0294

Описание

Затронутые продукты

Ссылки