Executive Summary
| Summary | |
|---|---|
| Title | gnutls security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2006:0207 | First vendor Publication | 2006-02-10 |
| Vendor | RedHat | Last vendor Modification | 2006-02-10 |
| Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. In Red Hat Enterprise Linux 4, the GNU TLS library is only used by the Evolution client when connecting to an Exchange server or when publishing calendar information to a WebDAV server. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 180903 - CVE-2006-0645 GnuTLS x509 DER DoS |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2006-0207.html |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10540 | |||
| Oval ID: | oval:org.mitre.oval:def:10540 | ||
| Title: | Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite. | ||
| Description: | Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2006-0645 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-10-10 | Name : SLES9: Security update for gnutls File : nvt/sles9p5016462.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200602-08 (libtasn1) File : nvt/glsa_200602_08.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 985-1 (libtasn1-2) File : nvt/deb_985_1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 986-1 (gnutls11) File : nvt/deb_986_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 23054 | GnuTLS libtasn1 DER Decoding Overflow DoS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-985.nasl - Type : ACT_GATHER_INFO |
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-986.nasl - Type : ACT_GATHER_INFO |
| 2006-07-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0207.nasl - Type : ACT_GATHER_INFO |
| 2006-03-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-251-1.nasl - Type : ACT_GATHER_INFO |
| 2006-02-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200602-08.nasl - Type : ACT_GATHER_INFO |
| 2006-02-14 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-039.nasl - Type : ACT_GATHER_INFO |
| 2006-02-11 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-107.nasl - Type : ACT_GATHER_INFO |
| 2006-02-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0207.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:49:56 |
|
