Jump to content
Compatible Support Forums
Sign in to follow this  
news

Gigabyte M912X Intel Atom netbook and Intel ATom Dual core N330 ECS board + other news

Recommended Posts

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

______________________________________________________________________________

 

SUSE Security Announcement

 

Package: gnutls

Announcement ID: SUSE-SA:2008:046

Date: Wed, 17 Sep 2008 14:00:00 +0000

Affected Products: openSUSE 10.2

openSUSE 10.3

SUSE SLES 9

Novell Linux Desktop 9

Open Enterprise Server

Novell Linux POS 9

SUSE Linux Enterprise Desktop 10 SP1

SUSE Linux Enterprise Server 10 SP1

SUSE Linux Enterprise Desktop 10 SP2

SUSE Linux Enterprise 10 SP2 DEBUGINFO

SUSE Linux Enterprise Server 10 SP2

Vulnerability Type: remote code execution

Severity (1-10): 8

SUSE Default Package: yes

Cross-References: CVE-2008-1948, CVE-2008-1949, CVE-2008-1950

 

Content of This Advisory:

1) Security Vulnerability Resolved:

gnutls security problems

Problem Description

2) Solution or Work-Around

3) Special Instructions and Notes

4) Package Location and Checksums

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.

6) Authenticity Verification and Additional Information

 

______________________________________________________________________________

 

1) Problem Description and Brief Discussion

 

Multiple security issues have been fixed in crypto framework gnutls:

 

CVE-2008-1948 (GNUTLS-SA-2008-1-1): The _gnutls_server_name_recv_params

function in lib/ext_server_name.c in libgnutls in gnutls-serv in

GnuTLS before 2.2.4 does not properly calculate the number of Server

Names in a TLS 1.0 Client Hello message during extension handling,

which allows remote attackers to cause a denial of service (crash)

or possibly execute arbitrary code via a zero value for the length of

Server Names, which leads to a buffer overflow in session resumption

data in the pack_security_parameters function.

 

CVE-2008-1949 (GNUTLS-SA-2008-1-2): The _gnutls_recv_client_kx_message

function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS

before 2.2.4 continues to process Client Hello messages within a TLS

message after one has already been processed, which allows remote

attackers to cause a denial of service (NULL dereference and crash)

via a TLS message containing multiple Client Hello messages,

 

CVE-2008-1950 (GNUTLS-SA-2008-1-3): Integer signedness error in

the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in

libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a

denial of service (buffer over-read and crash) via a certain integer

value in the Random field in an encrypted Client Hello message within

a TLS record with an invalid Record Length, which leads to an invalid

cipher padding length,

 

openSUSE 11.0 was already shipped with fixed gnutls packages.

 

2) Solution or Work-Around

 

There is no known workaround, please install the update packages.

 

3) Special Instructions and Notes

 

Please close and restart all running instances of gnutls after the update.

 

4) Package Location and Checksums

 

The preferred method for installing security updates is to use the YaST

Online Update (YOU) tool. YOU detects which updates are required and

automatically performs the necessary steps to verify and install them.

Alternatively, download the update packages for your distribution manually

and verify their integrity by the methods listed in Section 6 of this

announcement. Then install the packages using the command

 

rpm -Fhv

 

to apply the update, replacing with the filename of the

downloaded RPM package.

 

 

x86 Platform:

 

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/gnutls-1.6.1-36.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/gnutls-devel-1.6.1-36.2.i586.rpm

 

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/gnutls-1.4.4-19.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/gnutls-devel-1.4.4-19.i586.rpm

 

x86-64 Platform:

 

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/gnutls-32bit-1.6.1-36.2.x86_64.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/gnutls-devel-32bit-1.6.1-36.2.x86_64.rpm

 

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/gnutls-32bit-1.4.4-19.x86_64.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/gnutls-devel-32bit-1.4.4-19.x86_64.rpm

 

Sources:

 

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/gnutls-1.6.1-36.2.src.rpm

 

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/gnutls-1.4.4-19.src.rpm

 

Our maintenance customers are notified individually. The packages are

offered for installation from the maintenance web:

 

SUSE Linux Enterprise Server 10 SP1

http://download.novell.com/index.jsp?search=Search&keywords=16019428f51c348156efc7b17ac3a6b1

 

SUSE Linux Enterprise Desktop 10 SP1

http://download.novell.com/index.jsp?search=Search&keywords=16019428f51c348156efc7b17ac3a6b1

 

Open Enterprise Server

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

Novell Linux POS 9

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

Novell Linux Desktop 9

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

SUSE Linux Enterprise Server 10 SP2

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

SUSE Linux Enterprise 10 SP2 DEBUGINFO

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

SUSE Linux Enterprise Desktop 10 SP2

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

SUSE SLES 9

http://download.novell.com/index.jsp?search=Search&keywords=566c183b06655fd3c666c5d69f276831

 

______________________________________________________________________________

 

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

 

See SUSE Security Summary Report.

______________________________________________________________________________

 

6) Authenticity Verification and Additional Information

 

- Announcement authenticity verification:

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×