OracleVM 3.4 : qemu-kvm (OVMSA-2017-0101)

The remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus-avoid-write-only-variables.patch bz1444377 bz1444379 - kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt .patch - kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt .patch -...

gnutls: Use-of-uninitialized-value in gnutls_pkcs12_verify_mac

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5921522709430272 Project: gnutls Fuzzer: libFuzzergnutlspkcs12keyparserfuzzer Fuzz target binary: gnutlspkcs12keyparserfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type:...

gnutls: Use-of-uninitialized-value in wrap_nettle_pk_fixup

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5717312449544192 Project: gnutls Fuzzer: libFuzzergnutlsprivatekeyparserfuzzer Fuzz target binary: gnutlsprivatekeyparserfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type:...

gnutls: Use-of-uninitialized-value in _gnutls_mpi_dprint_size

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5685300447674368 Project: gnutls Fuzzer: libFuzzergnutlsclientfuzzer Fuzz target binary: gnutlsclientfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type: Use-of-uninitialized-value Cras...

gnutls: Use-of-uninitialized-value in gnutls_memset

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5321450548363264 Project: gnutls Fuzzer: libFuzzergnutlsclientfuzzer Fuzz target binary: gnutlsclientfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type: Use-of-uninitialized-value Cras...

gnutls: Use-of-uninitialized-value in gnutls_ocsp_resp_get_status

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5280774389497856 Project: gnutls Fuzzer: libFuzzergnutlsocsprespparserfuzzer Fuzz target binary: gnutlsocsprespparserfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type:...

gnutls: Use-of-uninitialized-value in asn1_write_value

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=4687016769880064 Project: gnutls Fuzzer: libFuzzergnutlsocsprespparserfuzzer Fuzz target binary: gnutlsocsprespparserfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type:...

gnutls: Use-of-uninitialized-value in gnutls_memset

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=4591499331239936 Project: gnutls Fuzzer: libFuzzergnutlspkcs8keyparserfuzzer Fuzz target binary: gnutlspkcs8keyparserfuzzer Job Type: libfuzzermsangnutls Platform Id: linux Crash Type:...

Google's OSS-Fuzz Finds 1,000 Open Source Bugs

The numbers are in, and judging by them, OSS-Fuzz, the program Google unveiled last December to continuously fuzz open source software, has been a success. In five months the effort has unearthed more than 1,000 bugs, a quarter of them potential security vulnerabilities, Google says. OSS-Fuzz,...

BSA-2017-250

Security Advisory ID : BSA-2017-250 Component : SSL TLS Revision : 1.0: Interim It was found using the OSS-FUZZfuzzerinfrastructure that decoding a specially craftedOpenPGPcertificate could lead to heap and stack overflows. This issue was fixed inGnuTLS3.3.26 and 3.5.8. Affected Products Brocade ...

BSA-2017-249

Security Advisory ID : BSA-2017-249 Component : SSL TLS Revision : 1.0: Interim It was found using the OSS-FUZZfuzzerinfrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. This issue was fixed...

EulerOS 2.0 SP2 : gnutls (EulerOS-SA-2017-1041)

According to the version of the gnutls packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote...

EulerOS 2.0 SP1 : gnutls (EulerOS-SA-2017-1042)

According to the version of the gnutls packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote...

gnutls: Heap-use-after-free in gnutls_x509_crl_deinit

Project: https://gitlab.com/gnutls/gnutls.git Detailed report: https://oss-fuzz.com/testcase?key=5649010138284032 Project: gnutls Fuzzer: libFuzzergnutlspkcs12keyparserfuzzer Fuzz target binary: gnutlspkcs12keyparserfuzzer Job Type: libfuzzerasangnutls Platform Id: linux Crash Type:...

GnuTLS Proxy Certificate Information Extension Memory Corruption (CVE-2017-5334)

A memory corruption vulnerability has been reported in the GnuTLS library. The vulnerability is due to improper handling of the Proxy Certificate Information extension in X.509 certificates. A remote attacker can exploit this vulnerability in GnuTLS by sending a crafted X.509 certificate to a...

[SECURITY] Fedora 26 Update: mingw-gnutls-3.5.11-1.fc26

GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW...

Ubuntu 17.04 : curl vulnerability (USN-3262-1)

It was discovered that curl incorrectly handled client certificates when resuming a TLS session. A remote attacker could use this to hijack a previously authenticated connection. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security...

GnuTLS has multiple vulnerabilities

GnuTLS is a free secure communications library for implementing the SSL, TLS and DTLS protocols developed by Nikos Mavrogiannopoulos of Belgium and Simon Josefsson of Sweden, software developers. A security vulnerability exists in the 'cdkpktread' function in the opencdk/read-packet.c file in...

CVE-2017-7869

GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdkpktread function in opencdk/read-packet.c. This issue which is a subset of the vendor's GNUTLS-SA-2017-3 report is fixed in 3.5.10...

Amazon Linux AMI : gnutls (ALAS-2017-815)

A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. CVE-2016-8610...