[security-announce] SUSE-SU-2014:0800-1: important: Security update for GnuTLS

16 Jun 2014

      SUSE Security Update: Security update for GnuTLS
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0800-1
Rating:             important
References:         #554084 #670152 #802651 #880730 #880910 
Cross-References:   CVE-2013-1619 CVE-2014-3466 CVE-2014-3467
                    CVE-2014-3468 CVE-2014-3469
Affected Products:
                    SUSE CORE 9
______________________________________________________________________________

   An update that fixes 5 vulnerabilities is now available.

Description:

   GnuTLS has been patched to ensure proper parsing of session ids during the
   TLS/SSL handshake. Additionally three issues inherited from libtasn1 have
   been fixed.

   Further information is available at
   http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
   <http://www.gnutls.org/security.html#GNUTLS-SA-2014-3>

   These security issues have been fixed:

       * Possible memory corruption during connect (CVE-2014-3466)
       * Multiple boundary check issues could allow DoS (CVE-2014-3467)
       * asn1_get_bit_der() can return negative bit length (CVE-2014-3468)
       * Possible DoS by NULL pointer dereference (CVE-2014-3469)
       * Possible timing side-channel attack (Lucky 13) (CVE-2013-1619)

   One additional bug has been fixed:

       * Allow unsafe renegotiation (bnc#554084)

   Security Issue references:

       * CVE-2014-3466
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466>
       * CVE-2014-3467
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467>
       * CVE-2014-3468
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468>
       * CVE-2014-3469
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469>
       * CVE-2013-1619
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619>

Package List:

   - SUSE CORE 9 (i586 s390 s390x x86_64):

      gnutls-1.0.8-26.32
      gnutls-devel-1.0.8-26.32

References:

   http://support.novell.com/security/cve/CVE-2013-1619.html
   http://support.novell.com/security/cve/CVE-2014-3466.html
   http://support.novell.com/security/cve/CVE-2014-3467.html
   http://support.novell.com/security/cve/CVE-2014-3468.html
   http://support.novell.com/security/cve/CVE-2014-3469.html
   https://bugzilla.novell.com/554084
   https://bugzilla.novell.com/670152
   https://bugzilla.novell.com/802651
   https://bugzilla.novell.com/880730
   https://bugzilla.novell.com/880910
   http://download.suse.com/patch/finder/?keywords=144b31fbd95bc788b66959b55efa...

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

opensuse-security＠opensuse.org

tags

participants (1)