gnutls security update

2008-05-22T13:49:09
ID CESA-2008:0492
Type centos
Reporter CentOS Project
Modified 2008-05-23T17:35:27

Description

CentOS Errata and Security Advisory CESA-2008:0492

The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS. GnuTLS includes libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding.

Flaws were found in the way GnuTLS handles malicious client connections. A malicious remote client could send a specially crafted request to a service using GnuTLS that could cause the service to crash. (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950)

We believe it is possible to leverage the flaw CVE-2008-1948 to execute arbitrary code but have been unable to prove this at the time of releasing this advisory. Red Hat Enterprise Linux 4 does not ship with any applications directly affected by this flaw. Third-party software which runs on Red Hat Enterprise Linux 4 could, however, be affected by this vulnerability. Consequently, we have assigned it important severity.

Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2008-May/014927.html http://lists.centos.org/pipermail/centos-announce/2008-May/014928.html http://lists.centos.org/pipermail/centos-announce/2008-May/014935.html http://lists.centos.org/pipermail/centos-announce/2008-May/014937.html

Affected packages: gnutls gnutls-devel

Upstream details at: https://rhn.redhat.com/errata/RHSA-2008-0492.html