Executive Summary
Summary | |
---|---|
Title | gnutls security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0247 | First vendor Publication | 2014-03-03 |
Vendor | RedHat | Last vendor Modification | 2014-03-03 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069301 - CVE-2009-5138 gnutls: incorrect handling of V1 intermediate certificates 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0247.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:23469 | |||
Oval ID: | oval:org.mitre.oval:def:23469 | ||
Title: | RHSA-2014:0246: gnutls security update (Important) | ||
Description: | lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0246-00 CESA-2014:0246 CVE-2014-0092 | Version: | 7 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23918 | |||
Oval ID: | oval:org.mitre.oval:def:23918 | ||
Title: | RHSA-2014:0247: gnutls security update (Important) | ||
Description: | lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0247-00 CESA-2014:0247 CVE-2009-5138 CVE-2014-0092 | Version: | 14 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24126 | |||
Oval ID: | oval:org.mitre.oval:def:24126 | ||
Title: | USN-2127-1 -- gnutls26 vulnerability | ||
Description: | Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2127-1 CVE-2014-0092 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnutls26 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24255 | |||
Oval ID: | oval:org.mitre.oval:def:24255 | ||
Title: | ELSA-2014:0247: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0247-00 CVE-2009-5138 CVE-2014-0092 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24339 | |||
Oval ID: | oval:org.mitre.oval:def:24339 | ||
Title: | DSA-2869-1 gnutls26 - incorrect certificate verification | ||
Description: | Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported successfully even in cases were an error would prevent all verification steps to be performed. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2869-1 CVE-2014-0092 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnutls26 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24508 | |||
Oval ID: | oval:org.mitre.oval:def:24508 | ||
Title: | ELSA-2014:0246: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0246-00 CVE-2014-0092 | Version: | 5 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25237 | |||
Oval ID: | oval:org.mitre.oval:def:25237 | ||
Title: | SUSE-SU-2014:0319-1 -- Security update for gnutls | ||
Description: | The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally a memory leak in PSK authentication has been fixed (bnc#835760). | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0319-1 CVE-2014-0092 CVE-2009-5138 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25394 | |||
Oval ID: | oval:org.mitre.oval:def:25394 | ||
Title: | SUSE-SU-2014:0321-1 -- Security update for gnutls | ||
Description: | The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0321-1 CVE-2014-0092 CVE-2009-5138 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25580 | |||
Oval ID: | oval:org.mitre.oval:def:25580 | ||
Title: | SUSE-SU-2014:0323-1 -- Security update for gnutls | ||
Description: | The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally, a memory leak in PSK authentication was fixed. bnc#835760 Security Issues: * CVE-2014-0092 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0323-1 CVE-2014-0092 CVE-2009-5138 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26408 | |||
Oval ID: | oval:org.mitre.oval:def:26408 | ||
Title: | DEPRECATED: ELSA-2014-0247 -- gnutls security update (important) | ||
Description: | [1.4.1-14] - Renamed gnutls-1.4.1-cve-2014-0092-1.patch to cve-2014-5138.patch - Renamed gnutls-1.4.1-cve-2014-0092-2.patch to cve-2014-0092.patch [1.4.1-13] - fix issues of CVE-2014-0092 (#1069888) [1.4.1-12] - fix CVE-2013-2116 - fix DoS regression in CVE-2013-1619 upstream patch (#966754) [1.4.1-11] - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0247 CVE-2014-0092 CVE-2009-5138 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27253 | |||
Oval ID: | oval:org.mitre.oval:def:27253 | ||
Title: | DEPRECATED: ELSA-2014-0246 -- gnutls security update (important) | ||
Description: | [2.8.5-13] - fix CVE-2014-0092 (#1069890) [2.8.5-12] - fix CVE-2013-2116 - fix DoS regression in CVE-2013-1619 upstream patch (#966754) [2.8.5-11] - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0246 CVE-2014-0092 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-10 | GnuTLS x509 certificate validation policy bypass attempt RuleID : 50946 - Revision : 1 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-07-31 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0101.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-0321-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-072.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnutls_20140915.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0339.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0288.nasl - Type : ACT_GATHER_INFO |
2014-06-16 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-09.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-183.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-181.nasl - Type : ACT_GATHER_INFO |
2014-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3493.nasl - Type : ACT_GATHER_INFO |
2014-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3454.nasl - Type : ACT_GATHER_INFO |
2014-03-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-301.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-048.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3413.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3363.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2127-1.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_f645aa90a3e811e3a4223c970e169bc2.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-062-01.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gnutls-140227.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140303_gnutls_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140303_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0247.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0246.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2869.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-03-07 17:23:52 |
|
2014-03-07 13:26:17 |
|
2014-03-06 13:21:28 |
|
2014-03-05 13:29:21 |
|
2014-03-03 21:19:54 |
|