[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

RHSA-2014:0594-01 -- Redhat gnutls

ID: oval:org.secpod.oval:def:501299Date: (C)2014-06-06   (M)2024-02-19
Class: PATCHFamily: unix




The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security . The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. It was discovered that the asn1_get_bit_der function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. Multiple NULL pointer dereference flaws were found in libtasn1"s asn1_read_value function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.

Platform:
Red Hat Enterprise Linux 5
Product:
gnutls
Reference:
RHSA-2014:0594-01
CVE-2014-3466
CVE-2014-3467
CVE-2014-3468
CVE-2014-3469
CVE    4
CVE-2014-3466
CVE-2014-3467
CVE-2014-3468
CVE-2014-3469
...
CPE    2
cpe:/o:redhat:enterprise_linux:5
cpe:/a:gnu:gnutls

© SecPod Technologies