gnutls security update

3.1.18-10 - Applied fix for CVE-2014-8564 1161472...

RHEL 7 : gnutls (RHSA-2014:1846)

Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available from...

gnutls: out-of-bounds memory write

An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC Elliptic Curve Cryptography certificates or certificate signing requests CSR resulting in heap corruption...

Ubuntu 14.10 : gnutls28 vulnerability (USN-2403-1)

Sean Burford discovered that GnuTLS incorrectly handled printing certain elliptic curve parameters. A malicious remote server or client could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has...

USN-2403-1: GnuTLS vulnerability

Sean Burford discovered that GnuTLS incorrectly handled printing certain elliptic curve parameters. A malicious remote server or client could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code...

openSUSE Security Update : pidgin (openSUSE-SU-2014:1376-1)

The following issues were fixed in this update : + General : - Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and...

RHEL 6 : rhev-hypervisor6 (RHSA-2014:0815)

An updated rhev-hypervisor6 package that fixes several security issues is now available. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each...

Pidgin 2.10.10 Patches SSL MiTM, DoS Vulnerabilities

A handful of security vulnerabilities were patched in the most recent release of the Pidgin open source instant messaging client, Pidgin 2.10.10, including a SSL/TLS certificate validation issue that could be exploited in man-in-the-middle attacks. Reported by Jacob Appelbaum of the Tor Project,...

CVE-2014-8564

The gnutlseccansix963export function in gnutlsecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service out-of-bounds write via a crafted 1 Elliptic Curve Cryptography ECC certificate or 2 certificate signing requests CSR,...

RHEL 6 : rhev-hypervisor6 (RHSA-2012:0531)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0531 advisory. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization...

RHEL 4 / 5 / 6 : gnutls (RHSA-2014:0288)

Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.3, 5.6 and 6.2 Long Life, and Red Hat Enterprise Linux 5.9, 6.3 and 6.4 Extended Update Support. The Red Hat Security Response Team has rate...

CVE-2014-3694

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...

CVE-2014-3694

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...

Information disclosure

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...

CVE-2014-3694

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...

Updated pidgin packages fix security vulnerabilities

In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins one for GnuTLS and one for NSS failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary...

CVE-2014-3694

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...

Oracle Linux 6 : rsyslog7 (ELSA-2014-1654)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2014-1654 advisory. 7.4.10-3 - fix CVE-2014-3634 resolves: 1149150 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that...

SOL15721 - GnuTLS vulnerability CVE-2013-1619

Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue...

UBUNTU-CVE-2014-3694

The 1 bundled GnuTLS SSL/TLS plugin and the 2 bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and...