Mandriva Linux Security Advisory - Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates. The updated packages have been patched to correct this issue.
0111abeb08bb42e780b644937c300f302aebebda1a1f47a4e9b45a5b6d908d34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:227
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gnutls
Date : November 12, 2008
Affected: 2008.0, 2008.1, 2009.0
_______________________________________________________________________
Problem Description:
Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until
2.6.1 verified certificate chains provided by a server. A malicious
server could use this flaw to spoof its identity by tricking client
applications that used the GnuTLS library to trust invalid certificates
(CVE-2008-4989).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
34153ada0d8f5e15ce0c485b11831d7b 2008.0/i586/gnutls-2.0.0-2.2mdv2008.0.i586.rpm
0b46ebe6d8e44eb4d1053e66f591d069 2008.0/i586/libgnutls13-2.0.0-2.2mdv2008.0.i586.rpm
f2b15aff240f686074760f6def6eb15f 2008.0/i586/libgnutls-devel-2.0.0-2.2mdv2008.0.i586.rpm
782fcf06fbbef4902a19f6f167468dd3 2008.0/SRPMS/gnutls-2.0.0-2.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
36d7717cbd69b8eaf3d3fb7a1a5460b2 2008.0/x86_64/gnutls-2.0.0-2.2mdv2008.0.x86_64.rpm
5de9bb9606d7376e1316530a06fcf811 2008.0/x86_64/lib64gnutls13-2.0.0-2.2mdv2008.0.x86_64.rpm
31ac4eada9cc4728961a63cd4c0b9f1b 2008.0/x86_64/lib64gnutls-devel-2.0.0-2.2mdv2008.0.x86_64.rpm
782fcf06fbbef4902a19f6f167468dd3 2008.0/SRPMS/gnutls-2.0.0-2.2mdv2008.0.src.rpm
Mandriva Linux 2008.1:
a994e8b75456e7072140ce99b3db34b3 2008.1/i586/gnutls-2.3.0-2.2mdv2008.1.i586.rpm
4a75a7074c2c3ce5ed7e227c1fb649bc 2008.1/i586/libgnutls26-2.3.0-2.2mdv2008.1.i586.rpm
663eb73655292445f569db0eaded64c4 2008.1/i586/libgnutls-devel-2.3.0-2.2mdv2008.1.i586.rpm
98cdc535fca1c579c615a78acf664b93 2008.1/SRPMS/gnutls-2.3.0-2.2mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
34218ff0d8daa441c641324911e28e04 2008.1/x86_64/gnutls-2.3.0-2.2mdv2008.1.x86_64.rpm
49ffee1bd312e6f96937e083ad62e43e 2008.1/x86_64/lib64gnutls26-2.3.0-2.2mdv2008.1.x86_64.rpm
fb3fc4547c83eb9c0d888af75e277c99 2008.1/x86_64/lib64gnutls-devel-2.3.0-2.2mdv2008.1.x86_64.rpm
98cdc535fca1c579c615a78acf664b93 2008.1/SRPMS/gnutls-2.3.0-2.2mdv2008.1.src.rpm
Mandriva Linux 2009.0:
d2c4bbbef7fcc9dae472469d0464ae34 2009.0/i586/gnutls-2.4.1-1.1mdv2009.0.i586.rpm
648df3147464016c51f5b912c705ba34 2009.0/i586/libgnutls26-2.4.1-1.1mdv2009.0.i586.rpm
213046d8f2a3979da2a2bf9477b8de66 2009.0/i586/libgnutls-devel-2.4.1-1.1mdv2009.0.i586.rpm
11f9b81ba4f9572c5f98d8ef95dc0448 2009.0/SRPMS/gnutls-2.4.1-1.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
eba230e9e703fec6d24218bbb343213f 2009.0/x86_64/gnutls-2.4.1-1.1mdv2009.0.x86_64.rpm
97e3ade4d719d783338f96032cff40f5 2009.0/x86_64/lib64gnutls26-2.4.1-1.1mdv2009.0.x86_64.rpm
f2cb5fa913970ede87d7ede80afe91e0 2009.0/x86_64/lib64gnutls-devel-2.4.1-1.1mdv2009.0.x86_64.rpm
11f9b81ba4f9572c5f98d8ef95dc0448 2009.0/SRPMS/gnutls-2.4.1-1.1mdv2009.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJG2WdmqjQ0CJFipgRAlcYAJ0d/RzfKhu55fYf46oaCyRhgp8wnACfdwka
PM1D51X/eji/nCMzlZ2qk0c=
=Arsu
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed