Nom du paquet
gnutls
Date
2009-05-18
Advisory ID
MDVSA-2009:116
Affected versions
2009.0 x86_64 , 2009.1 i586 , 2009.0 i586 , 2008.1 i586 , CS4.0 i586 , CS4.0 x86_64 , 2008.1 x86_64 , 2009.1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in gnutls:

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
properly handle invalid DSA signatures, which allows remote attackers
to cause a denial of service (application crash) and possibly have
unspecified other impact via a malformed DSA key that triggers a (1)
free of an uninitialized pointer or (2) double free (CVE-2009-1415).

lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates
RSA keys stored in DSA structures, instead of the intended DSA keys,
which might allow remote attackers to spoof signatures on certificates
or have unspecified other impact by leveraging an invalid DSA key
(CVE-2009-1416).

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation
and expiration times of X.509 certificates, which allows remote
attackers to successfully present a certificate that is (1) not yet
valid or (2) no longer valid, related to lack of time checks in the
_gnutls_x509_verify_certificate function in lib/x509/verify.c in
libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup
(CVE-2009-1417).

The updated packages have been patched to prevent this.

Updated packages

2009.0 x86_64

 50eb92f492ac913e11223cf407df5cd4  2009.0/x86_64/gnutls-2.4.1-2.4mdv2009.0.x86_64.rpm
 e365c536596584def2d8b61ab4ad63a9  2009.0/x86_64/lib64gnutls26-2.4.1-2.4mdv2009.0.x86_64.rpm
 13d3880ff941cf06ea4fedeed9ed927b  2009.0/x86_64/lib64gnutls-devel-2.4.1-2.4mdv2009.0.x86_64.rpm 
 dc2307362de50d642550c68a952e69aa  2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm

2009.1 i586

 bc07281e83debdbb5e652d0b84899c47  2009.1/i586/gnutls-2.6.4-1.2mdv2009.1.i586.rpm
 89a97dd8d4cd8b717eacffdcf6d1fe59  2009.1/i586/libgnutls26-2.6.4-1.2mdv2009.1.i586.rpm
 cbaed84e3b4d9787c4c230b6fa44b7cc  2009.1/i586/libgnutls-devel-2.6.4-1.2mdv2009.1.i586.rpm 
 96fc806f2ac7db65af86ca7c6513d0f4  2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm

2009.0 i586

 c28c925bd7f0269611ac9c6dd392df28  2009.0/i586/gnutls-2.4.1-2.4mdv2009.0.i586.rpm
 7a41677834cb818e4e8423fa2360e5e8  2009.0/i586/libgnutls26-2.4.1-2.4mdv2009.0.i586.rpm
 d47da33eac7b6477f2690c153d2e4408  2009.0/i586/libgnutls-devel-2.4.1-2.4mdv2009.0.i586.rpm 
 dc2307362de50d642550c68a952e69aa  2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm

2008.1 i586

 6d7ecb7d91ba28868368b87e8053aea7  2008.1/i586/gnutls-2.3.0-2.5mdv2008.1.i586.rpm
 96b8911ca78bf3e5fc613c712ff981d8  2008.1/i586/libgnutls26-2.3.0-2.5mdv2008.1.i586.rpm
 d6a02014de6dc2a0c15a2760e137bb51  2008.1/i586/libgnutls-devel-2.3.0-2.5mdv2008.1.i586.rpm 
 3fb2fe697587a4207059124a71ff44a1  2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm

CS4.0 i586

 72433f7e4e0952eabf5838e7de56f9cb  corporate/4.0/i586/gnutls-1.0.25-2.4.20060mlcs4.i586.rpm
 7a3ba08830a820772bb2ffdda5bd9304  corporate/4.0/i586/libgnutls11-1.0.25-2.4.20060mlcs4.i586.rpm
 cb04b2511750d20901be98da67a287c9  corporate/4.0/i586/libgnutls11-devel-1.0.25-2.4.20060mlcs4.i586.rpm 
 2c5ddb3d77debdb4eb619896d264ef36  corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm

CS4.0 x86_64

 84d3e0ac9c3b992b4d7dadd3f4a83f4f  corporate/4.0/x86_64/gnutls-1.0.25-2.4.20060mlcs4.x86_64.rpm
 4e97802d216f69842e6a373aa5d83aeb  corporate/4.0/x86_64/lib64gnutls11-1.0.25-2.4.20060mlcs4.x86_64.rpm
 8af535b1023b577afbe122344fad21be  corporate/4.0/x86_64/lib64gnutls11-devel-1.0.25-2.4.20060mlcs4.x86_64.rpm 
 2c5ddb3d77debdb4eb619896d264ef36  corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm

2008.1 x86_64

 b2a99ca654a7c67bfdc77c8c13d748d9  2008.1/x86_64/gnutls-2.3.0-2.5mdv2008.1.x86_64.rpm
 ecd43a69e956d43346c45450c7fc9051  2008.1/x86_64/lib64gnutls26-2.3.0-2.5mdv2008.1.x86_64.rpm
 4347df4cc5403f6a427d9cd1e52080ea  2008.1/x86_64/lib64gnutls-devel-2.3.0-2.5mdv2008.1.x86_64.rpm 
 3fb2fe697587a4207059124a71ff44a1  2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm

2009.1 x86_64

 c785b4b48f78089add92553b67ecf7a5  2009.1/x86_64/gnutls-2.6.4-1.2mdv2009.1.x86_64.rpm
 5c68d534e8741114dfbb9ddd937badf7  2009.1/x86_64/lib64gnutls26-2.6.4-1.2mdv2009.1.x86_64.rpm
 d21fab6a3225a1333b757707bbfa7be9  2009.1/x86_64/lib64gnutls-devel-2.6.4-1.2mdv2009.1.x86_64.rpm 
 96fc806f2ac7db65af86ca7c6513d0f4  2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm

References