Executive Summary
Summary | |
---|---|
Title | gnutls26 security update |
Informations | |||
---|---|---|---|
Name | DSA-2441 | First vendor Publication | 2012-03-25 |
Vendor | Debian | Last vendor Modification | 2012-03-25 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Matthew Hall discovered that GNUTLS does not properly handle truncated GenericBlockCipher structures nested inside TLS records, leading to crashes in applications using the GNUTLS library. For the stable distribution (squeeze), this problem has been fixed in version 2.8.6-1+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 2.12.18-1 of the gnutls26 package and version 3.0.17-2 of the gnutls28 package. We recommend that you upgrade your gnutls26 packages. |
Original Source
Url : http://www.debian.org/security/2012/dsa-2441 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:15178 | |||
Oval ID: | oval:org.mitre.oval:def:15178 | ||
Title: | DSA-2441-1 gnutls26 -- missing bounds check | ||
Description: | Matthew Hall discovered that GNUTLS does not properly handle truncated GenericBlockCipher structures nested inside TLS records, leading to crashes in applications using the GNUTLS library. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2441-1 CVE-2012-1573 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | gnutls26 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:17742 | |||
Oval ID: | oval:org.mitre.oval:def:17742 | ||
Title: | USN-1418-1 -- gnutls13, gnutls26 vulnerabilities | ||
Description: | The GnuTLS library could be made to crash under certain conditions. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1418-1 CVE-2011-4128 CVE-2012-1573 | Version: | 7 |
Platform(s): | Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | gnutls26 gnutls13 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20583 | |||
Oval ID: | oval:org.mitre.oval:def:20583 | ||
Title: | RHSA-2012:0429: gnutls security update (Important) | ||
Description: | gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0429-02 CESA-2012:0429 CVE-2011-4128 CVE-2012-1573 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20585 | |||
Oval ID: | oval:org.mitre.oval:def:20585 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-1573 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21250 | |||
Oval ID: | oval:org.mitre.oval:def:21250 | ||
Title: | RHSA-2012:0428: gnutls security update (Important) | ||
Description: | gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0428-02 CESA-2012:0428 CVE-2011-4128 CVE-2012-1569 CVE-2012-1573 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23081 | |||
Oval ID: | oval:org.mitre.oval:def:23081 | ||
Title: | ELSA-2012:0428: gnutls security update (Important) | ||
Description: | gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0428-02 CVE-2011-4128 CVE-2012-1569 CVE-2012-1573 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23329 | |||
Oval ID: | oval:org.mitre.oval:def:23329 | ||
Title: | ELSA-2012:0429: gnutls security update (Important) | ||
Description: | gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0429-02 CVE-2011-4128 CVE-2012-1573 | Version: | 13 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27800 | |||
Oval ID: | oval:org.mitre.oval:def:27800 | ||
Title: | DEPRECATED: ELSA-2012-0429 -- gnutls security update (important) | ||
Description: | [2.8.5-4.2] - fix CVE-2012-1573 - security issue in packet parsing (#805432) - fix CVE-2011-4128 - buffer overflow in gnutls_session_get_data() (#752308) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0429 CVE-2011-4128 CVE-2012-1573 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27901 | |||
Oval ID: | oval:org.mitre.oval:def:27901 | ||
Title: | DEPRECATED: ELSA-2012-0428 -- gnutls security update (important) | ||
Description: | [1.4.1-7.2] - fix CVE-2011-4128 - buffer overflow in gnutls_session_get_data() (#752308) - fix CVE-2012-1569 - missing length check when decoding DER lengths (#804920) - fix CVE-2012-1573 - security issue in packet parsing (#805432) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0428 CVE-2011-4128 CVE-2012-1569 CVE-2012-1573 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-31 | Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries. File : nvt/gb_VMSA-2012-0013.nasl |
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-18 (GnuTLS) File : nvt/glsa_201206_18.nasl |
2012-08-03 | Name : Mandriva Update for gnutls MDVSA-2012:040 (gnutls) File : nvt/gb_mandriva_MDVSA_2012_040.nasl |
2012-07-30 | Name : CentOS Update for gnutls CESA-2012:0428 centos5 File : nvt/gb_CESA-2012_0428_gnutls_centos5.nasl |
2012-07-30 | Name : CentOS Update for gnutls CESA-2012:0429 centos6 File : nvt/gb_CESA-2012_0429_gnutls_centos6.nasl |
2012-07-09 | Name : RedHat Update for gnutls RHSA-2012:0429-01 File : nvt/gb_RHSA-2012_0429-01_gnutls.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2441-1 (gnutls26) File : nvt/deb_2441_1.nasl |
2012-04-30 | Name : FreeBSD Ports: gnutls File : nvt/freebsd_gnutls7.nasl |
2012-04-11 | Name : Fedora Update for gnutls FEDORA-2012-4569 File : nvt/gb_fedora_2012_4569_gnutls_fc15.nasl |
2012-04-11 | Name : Ubuntu Update for gnutls26 USN-1418-1 File : nvt/gb_ubuntu_USN_1418_1.nasl |
2012-03-29 | Name : RedHat Update for gnutls RHSA-2012:0428-01 File : nvt/gb_RHSA-2012_0428-01_gnutls.nasl |
2012-03-26 | Name : Fedora Update for gnutls FEDORA-2012-4578 File : nvt/gb_fedora_2012_4578_gnutls_fc16.nasl |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-09-27 | IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0 Severity : Category I - VMSKEY : V0033884 |
2012-09-13 | IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0033794 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Free Software Foundation GnuTLS record application integer overflow attempt RuleID : 24996 - Revision : 3 - Type : SERVER-OTHER |
2014-01-10 | Free Software Foundation GnuTLS record application integer overflow attempt RuleID : 24995 - Revision : 6 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0013_remote.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnutls_20130619.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0488.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0531.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-277.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-03.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-59.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0428.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0429.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gnutls-120615.nasl - Type : ACT_GATHER_INFO |
2012-08-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120327_gnutls_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120327_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-07-03 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_gnutls-8066.nasl - Type : ACT_GATHER_INFO |
2012-06-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-18.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4569.nasl - Type : ACT_GATHER_INFO |
2012-04-06 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1418-1.nasl - Type : ACT_GATHER_INFO |
2012-03-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0429.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0429.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0428.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-040.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0428.nasl - Type : ACT_GATHER_INFO |
2012-03-26 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4578.nasl - Type : ACT_GATHER_INFO |
2012-03-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2441.nasl - Type : ACT_GATHER_INFO |
2012-03-22 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_aecee357739e11e1a883001cc0a36e12.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:58 |
|