CentOS Errata and Security Advisory CESA-2008:0492
The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS. GnuTLS includes libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding.
Flaws were found in the way GnuTLS handles malicious client connections. A malicious remote client could send a specially crafted request to a service using GnuTLS that could cause the service to crash. (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950)
We believe it is possible to leverage the flaw CVE-2008-1948 to execute arbitrary code but have been unable to prove this at the time of releasing this advisory. Red Hat Enterprise Linux 4 does not ship with any applications directly affected by this flaw. Third-party software which runs on Red Hat Enterprise Linux 4 could, however, be affected by this vulnerability. Consequently, we have assigned it important severity.
Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects these issues.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2008-May/026965.html http://lists.centos.org/pipermail/centos-announce/2008-May/026966.html http://lists.centos.org/pipermail/centos-announce/2008-May/026973.html http://lists.centos.org/pipermail/centos-announce/2008-May/026975.html
Affected packages: gnutls gnutls-devel
Upstream details at: https://rhn.redhat.com/errata/RHSA-2008-0492.html