gnutls security update

2014-06-0409:21:48

CentOS Project

lists.centos.org

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.708 High

EPSS

Percentile

98.0%

JSON

CentOS Errata and Security Advisory CESA-2014:0595

The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS).

A flaw was found in the way GnuTLS parsed session IDs from ServerHello
messages of the TLS/SSL handshake. A malicious server could use this flaw
to send an excessively long session ID value, which would trigger a buffer
overflow in a connecting TLS/SSL client application using GnuTLS, causing
the client application to crash or, possibly, execute arbitrary code.
(CVE-2014-3466)

Red Hat would like to thank GnuTLS upstream for reporting this issue.
Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original
reporter.

Users of GnuTLS are advised to upgrade to these updated packages, which
correct this issue. For the update to take effect, all applications linked
to the GnuTLS library must be restarted.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-June/082500.html

Affected packages:
gnutls
gnutls-devel
gnutls-guile
gnutls-utils

Upstream details at:
https://access.redhat.com/errata/RHSA-2014:0595

OSVersionArchitecturePackageVersionFilename
CentOS6i686gnutls< 2.8.5-14.el6_5gnutls-2.8.5-14.el6_5.i686.rpm
CentOS6i686gnutls-devel< 2.8.5-14.el6_5gnutls-devel-2.8.5-14.el6_5.i686.rpm
CentOS6i686gnutls-guile< 2.8.5-14.el6_5gnutls-guile-2.8.5-14.el6_5.i686.rpm
CentOS6i686gnutls-utils< 2.8.5-14.el6_5gnutls-utils-2.8.5-14.el6_5.i686.rpm
CentOS6i686gnutls< 2.8.5-14.el6_5gnutls-2.8.5-14.el6_5.i686.rpm
CentOS6x86_64gnutls< 2.8.5-14.el6_5gnutls-2.8.5-14.el6_5.x86_64.rpm
CentOS6i686gnutls-devel< 2.8.5-14.el6_5gnutls-devel-2.8.5-14.el6_5.i686.rpm
CentOS6x86_64gnutls-devel< 2.8.5-14.el6_5gnutls-devel-2.8.5-14.el6_5.x86_64.rpm
CentOS6i686gnutls-guile< 2.8.5-14.el6_5gnutls-guile-2.8.5-14.el6_5.i686.rpm
CentOS6x86_64gnutls-guile< 2.8.5-14.el6_5gnutls-guile-2.8.5-14.el6_5.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	6	i686	gnutls	< 2.8.5-14.el6_5	gnutls-2.8.5-14.el6_5.i686.rpm
CentOS	6	i686	gnutls-devel	< 2.8.5-14.el6_5	gnutls-devel-2.8.5-14.el6_5.i686.rpm
CentOS	6	i686	gnutls-guile	< 2.8.5-14.el6_5	gnutls-guile-2.8.5-14.el6_5.i686.rpm
CentOS	6	i686	gnutls-utils	< 2.8.5-14.el6_5	gnutls-utils-2.8.5-14.el6_5.i686.rpm
CentOS	6	i686	gnutls	< 2.8.5-14.el6_5	gnutls-2.8.5-14.el6_5.i686.rpm
CentOS	6	x86_64	gnutls	< 2.8.5-14.el6_5	gnutls-2.8.5-14.el6_5.x86_64.rpm
CentOS	6	i686	gnutls-devel	< 2.8.5-14.el6_5	gnutls-devel-2.8.5-14.el6_5.i686.rpm
CentOS	6	x86_64	gnutls-devel	< 2.8.5-14.el6_5	gnutls-devel-2.8.5-14.el6_5.x86_64.rpm
CentOS	6	i686	gnutls-guile	< 2.8.5-14.el6_5	gnutls-guile-2.8.5-14.el6_5.i686.rpm
CentOS	6	x86_64	gnutls-guile	< 2.8.5-14.el6_5	gnutls-guile-2.8.5-14.el6_5.x86_64.rpm