GnuTLS库多个远程安全漏洞

BUGTRAQ ID: 34783 CVECAN ID: CVE-2009-1416,CVE-2009-1415,CVE-2009-1417 GnuTLS是用于实现TLS加密协议的函数库。 GnuTLS中的多个安全漏洞可能被远程利用执行欺骗攻击、绕过某些安全限制或导致拒绝服务。 1 处理无效DSA密钥中的错误可能导致释放无效内存，客户端应用可能会崩溃。 2 GnuTLS库生成的是RSA密钥而不是DSA密钥，而RSA密钥生成的是弱加密签名。 3 gnutls-cli应用没有正确地检查X.509证书的激活和过期日期，可能诱骗应用程序接受无效的证书。 0 GNU GnuTLS 2.6.6 GN...

CVE-2009-1417

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is 1 not yet valid or 2 no longer valid, related to lack of time checks in the gnutlsx509verifycertificate function...

CVE-2009-1416

lib/gnutlspk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key...

CVE-2009-1415

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service application crash and possibly have unspecified other impact via a malformed DSA key that triggers a 1 free of an uninitialized pointe...

Code injection

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is 1 not yet valid or 2 no longer valid, related to lack of time checks in the gnutlsx509verifycertificate function...

CVE-2009-1416

lib/gnutlspk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key...

Code injection

lib/gnutlspk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key...

CVE-2009-1417

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is 1 not yet valid or 2 no longer valid, related to lack of time checks in the gnutlsx509verifycertificate function...

CVE-2009-1417

CVE-2009-1417 concerns gnutls-cli in GnuTLS prior to 2.6.6, where the time checks for X.509 certificates are not performed in _gnutls_x509_verify_certificate. This allows a remote attacker to present a certificate that is not yet valid or has expired, with downstream impact on affected apps (Exim...

CVE-2009-1417

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is 1 not yet valid or 2 no longer valid, related to lack of time checks in the gnutlsx509verifycertificate function...

CVE-2009-1416

GnuTLS CVE-2009-1416 affects GnuTLS 2.5.0–2.6.5: libgnutls/libgnutls_pk.c generates RSA keys and stores them in DSA structures, enabling remote attackers to spoof certificate signatures or cause unspecified impact via an invalid DSA key. Connected documents reference CVE IDs and advisories; no im...

CVE-2009-1415

CVE-2009-1415 affects GnuTLS up to version 2.6.5 (fixed in 2.6.6). The flaw resides in lib/pk-libgcrypt.c within libgnutls, which mishandles invalid DSA signatures. A malformed DSA key can trigger a denial of service (application crash) and may cause additional impact, including a free of an unin...

GnuTLS 2.6.x - libgnutls libgnutls_pk.c DSA Key Storage Remote Spoofing

GnuTLS 2.6.x - libgnutls libgnutlspk.c DSA Key Storage Remote Spoofing // source: https://www.securityfocus.com/bid/34783/info GnuTLS is prone to multiple remote vulnerabilities: - A remote code-execution vulnerability - A denial-of-service vulnerability - A signature-generation vulnerability - A...

PT-2009-1087 · Gnu · Gnutls

Name of the Vulnerable Software and Affected Versions: GnuTLS versions prior to 2.6.6 Description: The issue concerns multiple vulnerabilities in the GnuTLS package that can be exploited remotely, potentially leading to breaches of confidentiality, integrity, and availability of protected...

GnuTLS 2.6.x - libgnutls lib/gnutls_pk.c DSA Key Storage Remote Spoofing

// source: https://www.securityfocus.com/bid/34783/info GnuTLS is prone to multiple remote vulnerabilities: - A remote code-execution vulnerability - A denial-of-service vulnerability - A signature-generation vulnerability - A signature-verification vulnerability An attacker can exploit these...

GnuTLS 2.6.x - libgnutls libpk-libgcrypt.c Malformed DSA Key Handling Remote Denial of Service

GnuTLS 2.6.x - libgnutls libpk-libgcrypt.c Malformed DSA Key Handling Remote Denial of Service // source: https://www.securityfocus.com/bid/34783/info GnuTLS is prone to multiple remote vulnerabilities: - A remote code-execution vulnerability - A denial-of-service vulnerability - A...

GnuTLS 2.6.x - libgnutls lib/pk-libgcrypt.c Malformed DSA Key Handling Remote Denial of Service

// source: https://www.securityfocus.com/bid/34783/info GnuTLS is prone to multiple remote vulnerabilities: - A remote code-execution vulnerability - A denial-of-service vulnerability - A signature-generation vulnerability - A signature-verification vulnerability An attacker can exploit these...

Mandriva Linux Security Advisory : gnutls (MDVSA-2008:227-1)

Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates CVE-2008-4989. Updat...

Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : gnutls12, gnutls13, gnutls26 vulnerability (USN-678-1)

Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. CVE-2008-4989. Note that...

Mandriva Linux Security Advisory : gnutls (MDVSA-2008:106)

Flaws discovered in versions prior to 2.2.4 stable and 2.3.10 development of GnuTLS allow an attacker to cause denial of service application crash, and maybe so far undetermined execute arbitrary code. The updated packages have been patched to fix these flaws. Note that any applications using thi...