Executive Summary
Summary | |
---|---|
Title | gnutls security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0288 | First vendor Publication | 2014-03-12 |
Vendor | RedHat | Last vendor Modification | 2014-03-12 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.3, 5.6 and 6.2 Long Life, and Red Hat Enterprise Linux 5.9, 6.3 and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux AUS (v. 6.2 server) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0288.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:23469 | |||
Oval ID: | oval:org.mitre.oval:def:23469 | ||
Title: | RHSA-2014:0246: gnutls security update (Important) | ||
Description: | lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0246-00 CESA-2014:0246 CVE-2014-0092 | Version: | 7 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23918 | |||
Oval ID: | oval:org.mitre.oval:def:23918 | ||
Title: | RHSA-2014:0247: gnutls security update (Important) | ||
Description: | lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0247-00 CESA-2014:0247 CVE-2009-5138 CVE-2014-0092 | Version: | 14 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24126 | |||
Oval ID: | oval:org.mitre.oval:def:24126 | ||
Title: | USN-2127-1 -- gnutls26 vulnerability | ||
Description: | Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2127-1 CVE-2014-0092 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnutls26 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24255 | |||
Oval ID: | oval:org.mitre.oval:def:24255 | ||
Title: | ELSA-2014:0247: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0247-00 CVE-2009-5138 CVE-2014-0092 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24339 | |||
Oval ID: | oval:org.mitre.oval:def:24339 | ||
Title: | DSA-2869-1 gnutls26 - incorrect certificate verification | ||
Description: | Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported successfully even in cases were an error would prevent all verification steps to be performed. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2869-1 CVE-2014-0092 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnutls26 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24508 | |||
Oval ID: | oval:org.mitre.oval:def:24508 | ||
Title: | ELSA-2014:0246: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0246-00 CVE-2014-0092 | Version: | 5 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27253 | |||
Oval ID: | oval:org.mitre.oval:def:27253 | ||
Title: | DEPRECATED: ELSA-2014-0246 -- gnutls security update (important) | ||
Description: | [2.8.5-13] - fix CVE-2014-0092 (#1069890) [2.8.5-12] - fix CVE-2013-2116 - fix DoS regression in CVE-2013-1619 upstream patch (#966754) [2.8.5-11] - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0246 CVE-2014-0092 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-10 | GnuTLS x509 certificate validation policy bypass attempt RuleID : 50946 - Revision : 1 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-07-31 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0101.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-0321-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-072.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnutls_20140915.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0339.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0288.nasl - Type : ACT_GATHER_INFO |
2014-06-16 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-09.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-183.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-181.nasl - Type : ACT_GATHER_INFO |
2014-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3493.nasl - Type : ACT_GATHER_INFO |
2014-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3454.nasl - Type : ACT_GATHER_INFO |
2014-03-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-301.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-048.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3413.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3363.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2127-1.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_f645aa90a3e811e3a4223c970e169bc2.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-062-01.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gnutls-140227.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140303_gnutls_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140303_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2869.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-08 13:32:05 |
|
2014-03-12 21:20:15 |
|