Executive Summary

Informations
NameCVE-2009-5138First vendor Publication2014-03-06
VendorCveLast vendor Modification2014-04-01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score5.8Attack RangeNetwork
Cvss Impact Score4.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5138

CWE : Common Weakness Enumeration

%idName
100 %CWE-264Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:25580
 
Oval ID: oval:org.mitre.oval:def:25580
Title: SUSE-SU-2014:0323-1 -- Security update for gnutls
Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally, a memory leak in PSK authentication was fixed. bnc#835760 Security Issues: * CVE-2014-0092 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0323-1
CVE-2014-0092
CVE-2009-5138
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): gnutls
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25394
 
Oval ID: oval:org.mitre.oval:def:25394
Title: SUSE-SU-2014:0321-1 -- Security update for gnutls
Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0321-1
CVE-2014-0092
CVE-2009-5138
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): gnutls
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25237
 
Oval ID: oval:org.mitre.oval:def:25237
Title: SUSE-SU-2014:0319-1 -- Security update for gnutls
Description: The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally a memory leak in PSK authentication has been fixed (bnc#835760).
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0319-1
CVE-2014-0092
CVE-2009-5138
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): gnutls
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26408
 
Oval ID: oval:org.mitre.oval:def:26408
Title: DEPRECATED: ELSA-2014-0247 -- gnutls security update (important)
Description: [1.4.1-14] - Renamed gnutls-1.4.1-cve-2014-0092-1.patch to cve-2014-5138.patch - Renamed gnutls-1.4.1-cve-2014-0092-2.patch to cve-2014-0092.patch [1.4.1-13] - fix issues of CVE-2014-0092 (#1069888) [1.4.1-12] - fix CVE-2013-2116 - fix DoS regression in CVE-2013-1619 upstream patch (#966754) [1.4.1-11] - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238)
Family: unix Class: patch
Reference(s): ELSA-2014-0247
CVE-2014-0092
CVE-2009-5138
Version: 4
Platform(s): Oracle Linux 5
Product(s): gnutls
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application128

Nessus® Vulnerability Scanner

DateDescription
2015-05-20Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0321-1.nasl - Type : ACT_GATHER_INFO
2014-03-05Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO
2014-03-04Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0247.nasl - Type : ACT_GATHER_INFO
2014-03-04Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO
2014-03-04Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140303_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-03-04Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gnutls-140227.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1069301
https://gitorious.org/gnutls/gnutls/commit/c8dcbedd1fdc312f5b1a70fcfbc1afe235...
MLIST http://article.gmane.org/gmane.comp.security.oss.general/12223
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351/focus=3361
http://thread.gmane.org/gmane.comp.security.oss.general/12127
REDHAT http://rhn.redhat.com/errata/RHSA-2014-0247.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
DateInformations
2018-11-01 12:02:46
  • Multiple Updates
2016-04-26 19:28:54
  • Multiple Updates
2015-05-21 13:29:11
  • Multiple Updates
2014-04-01 14:39:32
  • Multiple Updates
2014-03-26 13:21:51
  • Multiple Updates
2014-03-18 13:21:54
  • Multiple Updates
2014-03-07 17:18:59
  • Multiple Updates
2014-03-07 13:21:31
  • First insertion