Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2019:1121-1

Опубликовано: 30 апр. 2019
Источник: suse-cvrf

Описание

Security update for gnutls

This update for gnutls fixes to version 3.6.7 the following issues:

Security issued fixed:

  • CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682).
  • CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681).
  • CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087)

Non-security issue fixed:

  • Update gnutls to support TLS 1.3 (fate#327114)

Список пакетов

Container caasp/v4/389-ds:1.4.2
libgnutls30-3.6.7-6.8.1
Container caasp/v4/busybox:1.34.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/caasp-dex:2.16.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/caaspctl-tooling:beta
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cert-exporter:2.3.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cilium-etcd-operator:2.0.5
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cilium-init:1.5.3
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cilium-operator:1.6.6
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cilium:1.6.6
libgnutls30-3.6.7-6.8.1
Container caasp/v4/cloud-provider-openstack:1.15.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/configmap-reload:0.3.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/coredns:1.6.7
libgnutls30-3.6.7-6.8.1
Container caasp/v4/curl:7.60.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/etcd:3.4.13
libgnutls30-3.6.7-6.8.1
Container caasp/v4/gangway:3.1.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/grafana:7.5.12
libgnutls30-3.6.7-6.8.1
Container caasp/v4/helm-tiller:2.16.12
libgnutls30-3.6.7-6.8.1
Container caasp/v4/hyperkube:v1.17.17
libgnutls30-3.6.7-6.8.1
Container caasp/v4/k8s-sidecar:0.1.75
libgnutls30-3.6.7-6.8.1
Container caasp/v4/kube-state-metrics:1.9.3
libgnutls30-3.6.7-6.8.1
Container caasp/v4/kubernetes-client:1.17.17
libgnutls30-3.6.7-6.8.1
Container caasp/v4/kucero:1.3.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/kured:1.3.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/metrics-server:0.3.6
libgnutls30-3.6.7-6.8.1
Container caasp/v4/prometheus-alertmanager:0.16.2
libgnutls30-3.6.7-6.8.1
Container caasp/v4/prometheus-node-exporter:1.1.2
libgnutls30-3.6.7-6.8.1
Container caasp/v4/prometheus-pushgateway:0.6.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/prometheus-server:2.7.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/rsyslog:8.39.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/skuba-tooling:0.1.0
libgnutls30-3.6.7-6.8.1
Container caasp/v4/test-update:beta
libgnutls30-3.6.7-6.8.1
Container caasp/v4/velero-plugin-for-aws:1.0.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/velero-plugin-for-gcp:1.0.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/velero-plugin-for-microsoft-azure:1.0.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/velero-restic-restore-helper:1.3.1
libgnutls30-3.6.7-6.8.1
Container caasp/v4/velero:1.3.1
libgnutls30-3.6.7-6.8.1
Container ses/6/cephcsi/cephcsi:latest
libgnutls30-3.6.7-6.8.1
Container ses/6/rook/ceph:latest
libgnutls30-3.6.7-6.8.1
Container suse/sle15:15.0
libgnutls30-3.6.7-6.8.1
Container suse/sle15:15.1
libgnutls30-3.6.7-6.8.1
SUSE Linux Enterprise Module for Basesystem 15
gnutls-3.6.7-6.8.1
libgnutls-devel-3.6.7-6.8.1
libgnutls30-3.6.7-6.8.1
libgnutls30-32bit-3.6.7-6.8.1
libgnutlsxx-devel-3.6.7-6.8.1
libgnutlsxx28-3.6.7-6.8.1
SUSE Linux Enterprise Module for Desktop Applications 15
libgnutls30-32bit-3.6.7-6.8.1

Ссылки

Описание

A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

Затронутые продукты
Container caasp/v4/389-ds:1.4.2:libgnutls30-3.6.7-6.8.1
Container caasp/v4/busybox:1.34.1:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caasp-dex:2.16.0:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caaspctl-tooling:beta:libgnutls30-3.6.7-6.8.1
Ссылки

Описание

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

Затронутые продукты
Container caasp/v4/389-ds:1.4.2:libgnutls30-3.6.7-6.8.1
Container caasp/v4/busybox:1.34.1:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caasp-dex:2.16.0:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caaspctl-tooling:beta:libgnutls30-3.6.7-6.8.1
Ссылки

Описание

It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.

Затронутые продукты
Container caasp/v4/389-ds:1.4.2:libgnutls30-3.6.7-6.8.1
Container caasp/v4/busybox:1.34.1:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caasp-dex:2.16.0:libgnutls30-3.6.7-6.8.1
Container caasp/v4/caaspctl-tooling:beta:libgnutls30-3.6.7-6.8.1
Ссылки