{"cve": [{"lastseen": "2021-02-02T06:14:24", "description": "lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.", "edition": 6, "cvss3": {}, "published": "2014-03-07T00:10:00", "title": "CVE-2014-0092", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0092"], "modified": "2016-11-28T19:10:00", "cpe": ["cpe:/a:gnu:gnutls:3.1.12", "cpe:/a:gnu:gnutls:3.2.10", "cpe:/a:gnu:gnutls:3.1.13", "cpe:/a:gnu:gnutls:3.1.20", "cpe:/a:gnu:gnutls:3.2.11", "cpe:/a:gnu:gnutls:3.1.18", "cpe:/a:gnu:gnutls:3.1.8", "cpe:/a:gnu:gnutls:3.2.9", "cpe:/a:gnu:gnutls:3.1.2", "cpe:/a:gnu:gnutls:3.2.7", "cpe:/a:gnu:gnutls:3.1.0", "cpe:/a:gnu:gnutls:3.1.16", "cpe:/a:gnu:gnutls:3.1.11", "cpe:/a:gnu:gnutls:3.2.4", "cpe:/a:gnu:gnutls:3.1.4", "cpe:/a:gnu:gnutls:3.2.3", "cpe:/a:gnu:gnutls:3.1.9", "cpe:/a:gnu:gnutls:3.2.8", "cpe:/a:gnu:gnutls:3.1.17", "cpe:/a:gnu:gnutls:3.1.3", "cpe:/a:gnu:gnutls:3.1.7", "cpe:/a:gnu:gnutls:3.2.8.1", "cpe:/a:gnu:gnutls:3.2.5", "cpe:/a:gnu:gnutls:3.2.2", "cpe:/a:gnu:gnutls:3.1.21", "cpe:/a:gnu:gnutls:3.1.10", "cpe:/a:gnu:gnutls:3.1.19", "cpe:/a:gnu:gnutls:3.1.15", "cpe:/a:gnu:gnutls:3.1.6", "cpe:/a:gnu:gnutls:3.1.5", "cpe:/a:gnu:gnutls:3.2.1", "cpe:/a:gnu:gnutls:3.2.6", "cpe:/a:gnu:gnutls:3.1.1", "cpe:/a:gnu:gnutls:3.1.14", "cpe:/a:gnu:gnutls:3.2.0"], "id": "CVE-2014-0092", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0092", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:gnu:gnutls:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.18:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.19:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.21:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.20:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.2.5:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2016-09-26T17:22:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-0092"], "edition": 1, "description": "Recommended action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nFor affected ARX systems, F5 recommends that you expose the management interface only on trusted networks.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2014-12-12T00:00:00", "published": "2014-04-10T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15160.html", "id": "SOL15160", "title": "SOL15160 - GnuTLS vulnerability CVE-2014-0092", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2020-11-11T13:18:38", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2869-1 security@debian.org\nhttp://www.debian.org/security/ Yves-Alexis Perez\nMarch 03, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : gnutls26\nVulnerability : incorrect certificate verification\nCVE ID : CVE-2014-0092\n\nNikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate\nverification issue in GnuTLS, an SSL/TLS library. A certificate\nvalidation could be reported sucessfully even in cases were an error\nwould prevent all verification steps to be performed.\n\nAn attacker doing a man-in-the-middle of a TLS connection could use this\nvulnerability to present a carefully crafted certificate that would be\naccepted by GnuTLS as valid even if not signed by one of the trusted\nauthorities.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.8.6-1+squeeze3.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.12.20-8+deb7u1.\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 2.12.23-13.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.12.23-13.\n\nWe recommend that you upgrade your gnutls26 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2014-03-03T20:15:09", "published": "2014-03-03T20:15:09", "id": "DEBIAN:DSA-2869-1:11A88", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00040.html", "title": "[SECURITY] [DSA 2869-1] gnutls26 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2016-09-04T12:23:22", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "The GnuTLS library received a critical security fix:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n", "edition": 1, "modified": "2014-03-04T18:04:13", "published": "2014-03-04T18:04:13", "id": "SUSE-SU-2014:0324-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00005.html", "type": "suse", "title": "Security update for gnutls (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:32:46", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "The gnutls library was updated to fix SSL certificate\n validation. Remote man-in-the-middle attackers were able to\n make the verification believe that a SSL certificate is\n valid even though it was not.\n\n", "edition": 1, "modified": "2014-03-05T19:04:13", "published": "2014-03-05T19:04:13", "id": "OPENSUSE-SU-2014:0328-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00007.html", "type": "suse", "title": "gnutls: fixed SSL certificate validation (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1619", "CVE-2014-0092"], "description": "The gnutls library was updated to fix SSL certificate\n validation. Remote man-in-the-middle attackers were able to\n make the verification believe that a SSL certificate is\n valid even though it was not. Also the TLS-CBC timing\n attack vulnerability was fixed.\n\n", "edition": 1, "modified": "2014-03-08T19:04:13", "published": "2014-03-08T19:04:13", "id": "OPENSUSE-SU-2014:0346-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00009.html", "type": "suse", "title": "gnutls (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:33:55", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "The GnuTLS library received a critical security fix and\n other updates:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n * CVE-2009-5138: A verification problem in handling V1\n certificates could also lead to V1 certificates incorrectly\n being handled.\n\n Additionally, a memory leak in PSK authentication was\n fixed. bnc#835760\n\n Security Issues:\n\n * CVE-2014-0092\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092</a>\n >\n\n", "edition": 1, "modified": "2014-03-04T01:08:22", "published": "2014-03-04T01:08:22", "id": "SUSE-SU-2014:0323-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00004.html", "type": "suse", "title": "Security update for gnutls (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:01:48", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "The GnuTLS library received a critical security fix and\n other updates:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n * CVE-2009-5138: A verification problem in handling V1\n certificates could also lead to V1 certificates incorrectly\n being handled.\n\n Additionally a memory leak in PSK authentication has been\n fixed (bnc#835760).\n", "edition": 1, "modified": "2014-03-04T01:04:17", "published": "2014-03-04T01:04:17", "id": "SUSE-SU-2014:0319-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html", "type": "suse", "title": "Security update for gnutls (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:43:04", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "The GNUTLS library received a critical security fix and\n other updates:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n * CVE-2009-5138: A verification problem in handling V1\n certificates could also lead to V1 certificates incorrectly\n being handled.\n\n Additionally, a memory leak in PSK authentication was\n fixed. (bnc#835760)\n\n Security Issues references:\n\n * CVE-2014-0092\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092</a>\n >\n * CVE-2009-5138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5138</a>\n >\n\n", "edition": 1, "modified": "2014-03-25T19:04:38", "published": "2014-03-25T19:04:38", "id": "SUSE-SU-2014:0445-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html", "type": "suse", "title": "Security update for gnutls (important)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:55:38", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "The GnuTLS library received a critical security fix and\n other updates:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n * CVE-2009-5138: A verification problem in handling V1\n certificates could also lead to V1 certificates incorrectly\n being handled.\n", "edition": 1, "modified": "2014-03-04T01:06:51", "published": "2014-03-04T01:06:51", "id": "SUSE-SU-2014:0321-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00002.html", "type": "suse", "title": "Security update for gnutls (critical)", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:09:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1619", "CVE-2009-5138", "CVE-2014-0092", "CVE-2013-2116"], "description": "The GnuTLS library received a critical security fix and\n other updates:\n\n * CVE-2014-0092: The X.509 certificate verification had\n incorrect error handling, which could lead to broken\n certificates marked as being valid.\n * CVE-2009-5138: A verification problem in handling V1\n certificates could also lead to V1 certificates incorrectly\n being handled.\n * CVE-2013-2116: The _gnutls_ciphertext2compressed\n function in lib/gnutls_cipher.c in GnuTLS allowed remote\n attackers to cause a denial of service (buffer over-read\n and crash) via a crafted padding length.\n * CVE-2013-1619: Timing attacks against hashing of\n padding was fixed which might have allowed disclosure of\n keys. (Lucky13 attack).\n\n Also the following non-security bugs have been fixed:\n\n * gnutls doesn't like root CAs without Basic\n Constraints. Permit V1 Certificate Authorities properly\n (bnc#760265)\n * memory leak in PSK authentication (bnc#835760)\n", "edition": 1, "modified": "2014-03-04T01:07:15", "published": "2014-03-04T01:07:15", "id": "SUSE-SU-2014:0322-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html", "title": "Security update for gnutls (critical)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "amazon": [{"lastseen": "2020-11-10T12:37:05", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "**Issue Overview:**\n\nIt was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. ([CVE-2014-0092 __](<https://access.redhat.com/security/cve/CVE-2014-0092>))\n\n \n**Affected Packages:** \n\n\ngnutls\n\n \n**Issue Correction:** \nRun _yum update gnutls_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n gnutls-guile-2.8.5-13.11.amzn1.i686 \n gnutls-utils-2.8.5-13.11.amzn1.i686 \n gnutls-devel-2.8.5-13.11.amzn1.i686 \n gnutls-2.8.5-13.11.amzn1.i686 \n gnutls-debuginfo-2.8.5-13.11.amzn1.i686 \n \n src: \n gnutls-2.8.5-13.11.amzn1.src \n \n x86_64: \n gnutls-2.8.5-13.11.amzn1.x86_64 \n gnutls-devel-2.8.5-13.11.amzn1.x86_64 \n gnutls-debuginfo-2.8.5-13.11.amzn1.x86_64 \n gnutls-guile-2.8.5-13.11.amzn1.x86_64 \n gnutls-utils-2.8.5-13.11.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-03-06T14:58:00", "published": "2014-03-06T14:58:00", "id": "ALAS-2014-301", "href": "https://alas.aws.amazon.com/ALAS-2014-301.html", "title": "Important: gnutls", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "ubuntu": [{"lastseen": "2020-07-02T11:35:02", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled \ncertificate verification functions. If a remote attacker were able to \nperform a man-in-the-middle attack, this flaw could be exploited with \nspecially crafted certificates to view sensitive information.", "edition": 5, "modified": "2014-03-04T00:00:00", "published": "2014-03-04T00:00:00", "id": "USN-2127-1", "href": "https://ubuntu.com/security/notices/USN-2127-1", "title": "GnuTLS vulnerability", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T17:35:49", "description": "BUGTRAQ ID: 65919\r\nCVE(CAN) ID: CVE-2014-0092\r\n\r\nGnuTLS\u662f\u7528\u4e8e\u5b9e\u73b0TLS\u52a0\u5bc6\u534f\u8bae\u7684\u51fd\u6570\u5e93\u3002\r\n\r\nGnuTLS 3.1.22, 3.2.12\u4e4b\u524d\u7248\u672c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cX.509\u8bc1\u4e66\u9a8c\u8bc1\u7684\u9519\u8bef\u5904\u7406\u4e0d\u6b63\u786e\uff0c\u53ef\u5c06\u6545\u969c\u8bc1\u4e66\u6807\u8bb0\u4e3a\u6709\u6548\u8bc1\u4e66\uff0c\u8fd9\u53ef\u4f7f\u8fdc\u7a0b\u7528\u6237\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u8bc1\u4e66\u9a8c\u8bc1\u3002\n0\nGnuTLS GnuTLS 3.2.12\r\nGnuTLS GnuTLS 3.1.22\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nGnuTLS\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://gnutls.org\r\nhttp://gnutls.org/security.html#GNUTLS-SA-2014-2", "published": "2014-03-05T00:00:00", "type": "seebug", "title": "GnuTLS\u8bc1\u4e66\u9a8c\u8bc1\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61641", "id": "SSV:61641", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2020-01-31T18:39:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:1361412562310850574", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850574", "type": "openvas", "title": "openSUSE: Security Advisory for gnutls (openSUSE-SU-2014:0328-1)", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850574\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:29:22 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"openSUSE: Security Advisory for gnutls (openSUSE-SU-2014:0328-1)\");\n\n script_tag(name:\"affected\", value:\"gnutls on openSUSE 12.3\");\n\n script_tag(name:\"insight\", value:\"The gnutls library was updated to fix SSL certificate\n validation. Remote man-in-the-middle attackers were able to\n make the verification believe that a SSL certificate is\n valid even though it was not.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:0328-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gnutls'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.3\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE12.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-debugsource\", rpm:\"gnutls-debugsource~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-devel\", rpm:\"libgnutls-devel~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl-devel\", rpm:\"libgnutls-openssl-devel~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl27\", rpm:\"libgnutls-openssl27~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl27-debuginfo\", rpm:\"libgnutls-openssl27-debuginfo~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28\", rpm:\"libgnutls28~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-debuginfo\", rpm:\"libgnutls28-debuginfo~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx-devel\", rpm:\"libgnutlsxx-devel~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx28\", rpm:\"libgnutlsxx28~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx28-debuginfo\", rpm:\"libgnutlsxx28-debuginfo~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-devel-32bit\", rpm:\"libgnutls-devel-32bit~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-32bit\", rpm:\"libgnutls28-32bit~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-debuginfo-32bit\", rpm:\"libgnutls28-debuginfo-32bit~3.0.28~1.4.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate\nverification issue in GnuTLS, an SSL/TLS library. A certificate\nvalidation could be reported successfully even in cases were an error\nwould prevent all verification steps to be performed.\n\nAn attacker doing a man-in-the-middle of a TLS connection could use this\nvulnerability to present a carefully crafted certificate that would be\naccepted by GnuTLS as valid even if not signed by one of the trusted\nauthorities.", "modified": "2019-03-19T00:00:00", "published": "2014-03-03T00:00:00", "id": "OPENVAS:1361412562310702869", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702869", "type": "openvas", "title": "Debian Security Advisory DSA 2869-1 (gnutls26 - incorrect certificate verification)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2869.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 2869-1 using nvtgen 1.0\n# Script version: 1.1\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702869\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-0092\");\n script_name(\"Debian Security Advisory DSA 2869-1 (gnutls26 - incorrect certificate verification)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-03 00:00:00 +0100 (Mon, 03 Mar 2014)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2869.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_tag(name:\"affected\", value:\"gnutls26 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.8.6-1+squeeze3.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.12.20-8+deb7u1.\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 2.12.23-13.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.12.23-13.\n\nWe recommend that you upgrade your gnutls26 packages.\");\n script_tag(name:\"summary\", value:\"Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate\nverification issue in GnuTLS, an SSL/TLS library. A certificate\nvalidation could be reported successfully even in cases were an error\nwould prevent all verification steps to be performed.\n\nAn attacker doing a man-in-the-middle of a TLS connection could use this\nvulnerability to present a carefully crafted certificate that would be\naccepted by GnuTLS as valid even if not signed by one of the trusted\nauthorities.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"gnutls-bin\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"gnutls-doc\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"guile-gnutls\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls-dev\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls26-dbg\", ver:\"2.8.6-1+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"gnutls-bin\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"gnutls26-doc\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"guile-gnutls\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls-dev\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls-openssl27\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutls26-dbg\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgnutlsxx27\", ver:\"2.12.20-8+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-31T18:39:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:1361412562310850575", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850575", "type": "openvas", "title": "openSUSE: Security Advisory for gnutls (openSUSE-SU-2014:0325-1)", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850575\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:29:26 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"openSUSE: Security Advisory for gnutls (openSUSE-SU-2014:0325-1)\");\n\n script_tag(name:\"affected\", value:\"gnutls on openSUSE 13.1\");\n\n script_tag(name:\"insight\", value:\"The gnutls library was updated to fixed x509 certificate\n validation problems, where man-in-the-middle attackers\n could hijack SSL connections.\n\n This update also reenables Elliptic Curve support to meet\n current day cryptographic requirements.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:0325-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gnutls'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.1\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-debugsource\", rpm:\"gnutls-debugsource~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-devel\", rpm:\"libgnutls-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl-devel\", rpm:\"libgnutls-openssl-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl27\", rpm:\"libgnutls-openssl27~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-openssl27-debuginfo\", rpm:\"libgnutls-openssl27-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28\", rpm:\"libgnutls28~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-debuginfo\", rpm:\"libgnutls28-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx-devel\", rpm:\"libgnutlsxx-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx28\", rpm:\"libgnutlsxx28~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutlsxx28-debuginfo\", rpm:\"libgnutlsxx28-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls-devel-32bit\", rpm:\"libgnutls-devel-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-32bit\", rpm:\"libgnutls28-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgnutls28-debuginfo-32bit\", rpm:\"libgnutls28-debuginfo-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2017-07-27T10:48:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "Check for the Version of gnutls", "modified": "2017-07-12T00:00:00", "published": "2014-03-04T00:00:00", "id": "OPENVAS:871132", "href": "http://plugins.openvas.org/nasl.php?oid=871132", "type": "openvas", "title": "RedHat Update for gnutls RHSA-2014:0246-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for gnutls RHSA-2014:0246-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(871132);\n script_version(\"$Revision: 6688 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:49:31 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-04 10:51:24 +0530 (Tue, 04 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"RedHat Update for gnutls RHSA-2014:0246-01\");\n\n tag_insight = \"The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n\";\n\n tag_affected = \"gnutls on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"RHSA\", value: \"2014:0246-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2014-March/msg00001.html\");\n script_summary(\"Check for the Version of gnutls\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-devel\", rpm:\"gnutls-devel~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-utils\", rpm:\"gnutls-utils~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-03-17T23:00:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120522", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120522", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-301)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120522\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:28:29 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-301)\");\n script_tag(name:\"insight\", value:\"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092 )\");\n script_tag(name:\"solution\", value:\"Run yum update gnutls to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-301.html\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-guile\", rpm:\"gnutls-guile~2.8.5~13.11.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-utils\", rpm:\"gnutls-utils~2.8.5~13.11.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-devel\", rpm:\"gnutls-devel~2.8.5~13.11.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~2.8.5~13.11.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~2.8.5~13.11.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:1361412562310841746", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841746", "type": "openvas", "title": "Ubuntu Update for gnutls26 USN-2127-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2127_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for gnutls26 USN-2127-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841746\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:41:15 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Ubuntu Update for gnutls26 USN-2127-1\");\n\n script_tag(name:\"affected\", value:\"gnutls26 on Ubuntu 13.10,\n Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly\nhandled certificate verification functions. If a remote attacker were able to\nperform a man-in-the-middle attack, this flaw could be exploited with\nspecially crafted certificates to view sensitive information.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2127-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2127-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gnutls26'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|10\\.04 LTS|13\\.10|12\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.12.14-5ubuntu3.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.8.5-2ubuntu0.5\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26:i386\", ver:\"2.12.23-1ubuntu4.2\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.12.14-5ubuntu4.6\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-03-04T00:00:00", "id": "OPENVAS:1361412562310871132", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871132", "type": "openvas", "title": "RedHat Update for gnutls RHSA-2014:0246-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for gnutls RHSA-2014:0246-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871132\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-04 10:51:24 +0530 (Tue, 04 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"RedHat Update for gnutls RHSA-2014:0246-01\");\n\n\n script_tag(name:\"affected\", value:\"gnutls on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0246-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-March/msg00001.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gnutls'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-devel\", rpm:\"gnutls-devel~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-utils\", rpm:\"gnutls-utils~2.8.5~13.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2017-12-04T11:17:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "Check for the Version of gnutls26", "modified": "2017-12-01T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:841746", "href": "http://plugins.openvas.org/nasl.php?oid=841746", "type": "openvas", "title": "Ubuntu Update for gnutls26 USN-2127-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2127_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for gnutls26 USN-2127-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841746);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:41:15 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Ubuntu Update for gnutls26 USN-2127-1\");\n\n tag_insight = \"Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly\nhandled certificate verification functions. If a remote attacker were able to\nperform a man-in-the-middle attack, this flaw could be exploited with\nspecially crafted certificates to view sensitive information.\";\n\n tag_affected = \"gnutls26 on Ubuntu 13.10 ,\n Ubuntu 12.10 ,\n Ubuntu 12.04 LTS ,\n Ubuntu 10.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2127-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2127-1/\");\n script_summary(\"Check for the Version of gnutls26\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.12.14-5ubuntu3.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.8.5-2ubuntu0.5\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26:i386\", ver:\"2.12.23-1ubuntu4.2\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgnutls26\", ver:\"2.12.14-5ubuntu4.6\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:1361412562310881893", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881893", "type": "openvas", "title": "CentOS Update for gnutls CESA-2014:0246 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for gnutls CESA-2014:0246 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881893\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:27:50 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"CentOS Update for gnutls CESA-2014:0246 centos6\");\n\n script_tag(name:\"affected\", value:\"gnutls on CentOS 6\");\n script_tag(name:\"insight\", value:\"The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0246\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-March/020185.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gnutls'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~2.8.5~13.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-devel\", rpm:\"gnutls-devel~2.8.5~13.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-guile\", rpm:\"gnutls-guile~2.8.5~13.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-utils\", rpm:\"gnutls-utils~2.8.5~13.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2017-12-12T11:09:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "description": "Check for the Version of gnutls", "modified": "2017-12-08T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:850575", "href": "http://plugins.openvas.org/nasl.php?oid=850575", "type": "openvas", "title": "SuSE Update for gnutls openSUSE-SU-2014:0325-1 (gnutls)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_0325_1.nasl 8044 2017-12-08 08:32:49Z santu $\n#\n# SuSE Update for gnutls openSUSE-SU-2014:0325-1 (gnutls)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850575);\n script_version(\"$Revision: 8044 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:32:49 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 09:29:26 +0530 (Wed, 12 Mar 2014)\");\n script_cve_id(\"CVE-2014-0092\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"SuSE Update for gnutls openSUSE-SU-2014:0325-1 (gnutls)\");\n\n tag_insight = \"\n The gnutls library was updated to fixed x509 certificate\n validation problems, where man-in-the-middle attackers\n could hijack SSL connections.\n\n This update also reenables Elliptic Curve support to meet\n current day cryptographic requirements.\";\n\n tag_affected = \"gnutls on openSUSE 13.1\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"openSUSE-SU\", value: \"2014:0325_1\");\n script_summary(\"Check for the Version of gnutls\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE13.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-debuginfo\", rpm:\"gnutls-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-debugsource\", rpm:\"gnutls-debugsource~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls-devel\", rpm:\"libgnutls-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls-openssl-devel\", rpm:\"libgnutls-openssl-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls-openssl27\", rpm:\"libgnutls-openssl27~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls-openssl27-debuginfo\", rpm:\"libgnutls-openssl27-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls28\", rpm:\"libgnutls28~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls28-debuginfo\", rpm:\"libgnutls28-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutlsxx-devel\", rpm:\"libgnutlsxx-devel~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutlsxx28\", rpm:\"libgnutlsxx28~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutlsxx28-debuginfo\", rpm:\"libgnutlsxx28-debuginfo~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls-devel-32bit\", rpm:\"libgnutls-devel-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls28-32bit\", rpm:\"libgnutls28-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgnutls28-debuginfo-32bit\", rpm:\"libgnutls28-debuginfo-32bit~3.2.4~2.14.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-0092"], "description": "Invalid error handling.", "edition": 1, "modified": "2014-03-13T00:00:00", "published": "2014-03-13T00:00:00", "id": "SECURITYVULNS:VULN:13603", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13603", "title": "GnuTLS certificate validation bypass", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "cvelist": ["CVE-2014-0092"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:048\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : gnutls\r\n Date : March 10, 2014\r\n Affected: Business Server 1.0, Enterprise Server 5.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated gnutls packages fix security vulnerability:\r\n \r\n It was discovered that GnuTLS did not correctly handle certain errors\r\n that could occur during the verification of an X.509 certificate,\r\n causing it to incorrectly report a successful verification. An attacker\r\n could use this flaw to create a specially crafted certificate that\r\n could be accepted by GnuTLS as valid for a site chosen by the attacker\r\n (CVE-2014-0092).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092\r\n http://advisories.mageia.org/MGASA-2014-0117.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Enterprise Server 5:\r\n 102f795d8475e9c9d6df72aeffd9213b mes5/i586/gnutls-2.4.1-2.10mdvmes5.2.i586.rpm\r\n 1f87f8bce0222e4bad7f098e9ae04467 mes5/i586/libgnutls26-2.4.1-2.10mdvmes5.2.i586.rpm\r\n c9bffc45aaddf198ccf185d130cd06c6 mes5/i586/libgnutls-devel-2.4.1-2.10mdvmes5.2.i586.rpm \r\n c713dc5b541177d7ad289853a6be2869 mes5/SRPMS/gnutls-2.4.1-2.10mdvmes5.2.src.rpm\r\n\r\n Mandriva Enterprise Server 5/X86_64:\r\n 74cf2ef8f62b6695fb7e0302bbd05f21 mes5/x86_64/gnutls-2.4.1-2.10mdvmes5.2.x86_64.rpm\r\n 1c915d2bfcadb6cb85ee2a80a3adf6ce mes5/x86_64/lib64gnutls26-2.4.1-2.10mdvmes5.2.x86_64.rpm\r\n 62d52e05b82032c7952f2dbf8e60482f mes5/x86_64/lib64gnutls-devel-2.4.1-2.10mdvmes5.2.x86_64.rpm \r\n c713dc5b541177d7ad289853a6be2869 mes5/SRPMS/gnutls-2.4.1-2.10mdvmes5.2.src.rpm\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 53bb1704d26e27aeeeddfdcf093c28a3 mbs1/x86_64/gnutls-3.0.28-1.2.mbs1.x86_64.rpm\r\n 9d87ba4210c47fd889e311cfddcbc0eb mbs1/x86_64/lib64gnutls28-3.0.28-1.2.mbs1.x86_64.rpm\r\n 3055076fd43b6a23e8ca36ca898e2378 mbs1/x86_64/lib64gnutls-devel-3.0.28-1.2.mbs1.x86_64.rpm\r\n 6c7adf3386ec46df821457f8ed0962f0 mbs1/x86_64/lib64gnutls-ssl27-3.0.28-1.2.mbs1.x86_64.rpm \r\n 2399c9cd4b3b4eb1cd1ad82a2dbbc90e mbs1/SRPMS/gnutls-3.0.28-1.2.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFTHYuPmqjQ0CJFipgRAnO5AJ9UPgEWklfcapkAlRUrevDFRY5w1QCfUwqw\r\nBPc793TFRj1+Ic7Ckur6Ahs=\r\n=EexV\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2014-03-13T00:00:00", "published": "2014-03-13T00:00:00", "id": "SECURITYVULNS:DOC:30360", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30360", "title": "[ MDVSA-2014:048 ] gnutls", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:28", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/gnutls-3.1.22-i486-1_slack14.1.txz: Upgraded.\n Fixed a security issue where a specially crafted certificate could\n bypass certificate validation checks.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092\n (* Security fix *)\n\nThanks to mancha for backporting the patch for Slackware 13.0, 13.1, 13.37, and 14.0!\n\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnutls-2.8.4-i486-3_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnutls-2.8.4-x86_64-3_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnutls-2.8.6-i486-3_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnutls-2.8.6-x86_64-3_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnutls-2.10.5-i486-3_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnutls-2.10.5-x86_64-3_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnutls-3.0.31-i486-3_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnutls-3.0.31-x86_64-3_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gnutls-3.1.22-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gnutls-3.1.22-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-3.1.22-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnutls-3.1.22-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n20c1c57f2f807e0a825fea258e393247 gnutls-2.8.4-i486-3_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n053267a6b918756369d9d9b95182f7a9 gnutls-2.8.4-x86_64-3_slack13.0.txz\n\nSlackware 13.1 package:\n412c5bcc3cf65fc57cc117459be3e2fe gnutls-2.8.6-i486-3_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n58b0d65ecd1c457fb484cc98c7cbb327 gnutls-2.8.6-x86_64-3_slack13.1.txz\n\nSlackware 13.37 package:\nbf93e57188e4bf8b3f4978507c035847 gnutls-2.10.5-i486-3_slack13.37.txz\n\nSlackware x86_64 13.37 package:\ne8975f0e48d3f15687fbf407db6d9740 gnutls-2.10.5-x86_64-3_slack13.37.txz\n\nSlackware 14.0 package:\nb6b4b1f1756cc7857ddb430c8c52cbb0 gnutls-3.0.31-i486-3_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd4de153fe1a64c1d1291e0242489957d gnutls-3.0.31-x86_64-3_slack14.0.txz\n\nSlackware 14.1 package:\na91ba05b256cceff004ae2cdc08e3239 gnutls-3.1.22-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8a372d2d52292805ffa59cc8825f47b3 gnutls-3.1.22-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n86da62d25631d150279d3b0df8ce13af n/gnutls-3.1.22-i486-1.txz\n\nSlackware x86_64 -current package:\nb91ff54d6a6109ce24669c5cdb0ffc86 n/gnutls-3.1.22-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg gnutls-3.1.22-i486-1_slack14.1.txz", "modified": "2014-03-04T00:43:33", "published": "2014-03-04T00:43:33", "id": "SSA-2014-062-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.507575", "type": "slackware", "title": "[slackware-security] gnutls", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThis issue was discovered by Nikos Mavrogiannopoulos of the Red Hat\nSecurity Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n", "modified": "2017-09-08T12:07:20", "published": "2014-03-12T04:00:00", "id": "RHSA-2014:0288", "href": "https://access.redhat.com/errata/RHSA-2014:0288", "type": "redhat", "title": "(RHSA-2014:0288) Important: gnutls security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:44", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n", "modified": "2018-06-06T20:24:08", "published": "2014-03-03T05:00:00", "id": "RHSA-2014:0246", "href": "https://access.redhat.com/errata/RHSA-2014:0246", "type": "redhat", "title": "(RHSA-2014:0246) Important: gnutls security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:08", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nA flaw was found in the way GnuTLS handled version 1 X.509 certificates.\nAn attacker able to obtain a version 1 certificate from a trusted\ncertificate authority could use this flaw to issue certificates for other\nsites that would be accepted by GnuTLS as valid. (CVE-2009-5138)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the GnuTLS library must be restarted.\n", "modified": "2017-09-08T11:59:39", "published": "2014-03-03T05:00:00", "id": "RHSA-2014:0247", "href": "https://access.redhat.com/errata/RHSA-2014:0247", "type": "redhat", "title": "(RHSA-2014:0247) Important: gnutls security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2019-12-20T18:25:11", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0246\n\n\nThe GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-March/032223.html\n\n**Affected packages:**\ngnutls\ngnutls-devel\ngnutls-guile\ngnutls-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0246.html", "edition": 3, "modified": "2014-03-04T21:00:04", "published": "2014-03-04T21:00:04", "href": "http://lists.centos.org/pipermail/centos-announce/2014-March/032223.html", "id": "CESA-2014:0246", "title": "gnutls security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-12-20T18:27:48", "bulletinFamily": "unix", "cvelist": ["CVE-2009-5138", "CVE-2014-0092"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0247\n\n\nThe GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors that\ncould occur during the verification of an X.509 certificate, causing it to\nincorrectly report a successful verification. An attacker could use this\nflaw to create a specially crafted certificate that could be accepted by\nGnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)\n\nA flaw was found in the way GnuTLS handled version 1 X.509 certificates.\nAn attacker able to obtain a version 1 certificate from a trusted\ncertificate authority could use this flaw to issue certificates for other\nsites that would be accepted by GnuTLS as valid. (CVE-2009-5138)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the\nRed Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the GnuTLS library must be restarted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-March/032221.html\n\n**Affected packages:**\ngnutls\ngnutls-devel\ngnutls-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0247.html", "edition": 3, "modified": "2014-03-04T20:51:10", "published": "2014-03-04T20:51:10", "href": "http://lists.centos.org/pipermail/centos-announce/2014-March/032221.html", "id": "CESA-2014:0247", "title": "gnutls security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-17T12:48:48", "description": "From Red Hat Security Advisory 2014:0246 :\n\nUpdated gnutls packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and\nfor protocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of\nthe Red Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages,\nwhich correct this issue. For the update to take effect, all\napplications linked to the GnuTLS library must be restarted.", "edition": 21, "published": "2014-03-04T00:00:00", "title": "Oracle Linux 6 : gnutls (ELSA-2014-0246)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-04T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:gnutls-utils", "p-cpe:/a:oracle:linux:gnutls", "p-cpe:/a:oracle:linux:gnutls-guile", "p-cpe:/a:oracle:linux:gnutls-devel"], "id": "ORACLELINUX_ELSA-2014-0246.NASL", "href": "https://www.tenable.com/plugins/nessus/72791", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0246 and \n# Oracle Linux Security Advisory ELSA-2014-0246 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72791);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(57736, 60215, 65919);\n script_xref(name:\"RHSA\", value:\"2014:0246\");\n\n script_name(english:\"Oracle Linux 6 : gnutls (ELSA-2014-0246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0246 :\n\nUpdated gnutls packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and\nfor protocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of\nthe Red Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages,\nwhich correct this issue. For the update to take effect, all\napplications linked to the GnuTLS library must be restarted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-March/003998.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnutls packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:gnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:gnutls-guile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:gnutls-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"gnutls-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"gnutls-devel-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"gnutls-guile-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"gnutls-utils-2.8.5-13.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls / gnutls-devel / gnutls-guile / gnutls-utils\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T15:26:42", "description": "Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled\ncertificate verification functions. If a remote attacker were able to\nperform a man-in-the-middle attack, this flaw could be exploited with\nspecially crafted certificates to view sensitive information.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-03-05T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : gnutls26 vulnerability (USN-2127-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-05T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:libgnutls26", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2127-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72812", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2127-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72812);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_xref(name:\"USN\", value:\"2127-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : gnutls26 vulnerability (USN-2127-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled\ncertificate verification functions. If a remote attacker were able to\nperform a man-in-the-middle attack, this flaw could be exploited with\nspecially crafted certificates to view sensitive information.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2127-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libgnutls26 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgnutls26\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04|12\\.10|13\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04 / 12.10 / 13.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libgnutls26\", pkgver:\"2.8.5-2ubuntu0.5\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libgnutls26\", pkgver:\"2.12.14-5ubuntu3.7\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"libgnutls26\", pkgver:\"2.12.14-5ubuntu4.6\")) flag++;\nif (ubuntu_check(osver:\"13.10\", pkgname:\"libgnutls26\", pkgver:\"2.12.23-1ubuntu4.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libgnutls26\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T09:48:22", "description": "Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate\nverification issue in GnuTLS, an SSL/TLS library. A certificate\nvalidation could be reported sucessfully even in cases were an error\nwould prevent all verification steps to be performed.\n\nAn attacker doing a man-in-the-middle of a TLS connection could use\nthis vulnerability to present a carefully crafted certificate that\nwould be accepted by GnuTLS as valid even if not signed by one of the\ntrusted authorities.", "edition": 16, "published": "2014-03-04T00:00:00", "title": "Debian DSA-2869-1 : gnutls26 - incorrect certificate verification", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-04T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:gnutls26"], "id": "DEBIAN_DSA-2869.NASL", "href": "https://www.tenable.com/plugins/nessus/72782", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2869. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72782);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n script_xref(name:\"DSA\", value:\"2869\");\n\n script_name(english:\"Debian DSA-2869-1 : gnutls26 - incorrect certificate verification\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate\nverification issue in GnuTLS, an SSL/TLS library. A certificate\nvalidation could be reported sucessfully even in cases were an error\nwould prevent all verification steps to be performed.\n\nAn attacker doing a man-in-the-middle of a TLS connection could use\nthis vulnerability to present a carefully crafted certificate that\nwould be accepted by GnuTLS as valid even if not signed by one of the\ntrusted authorities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/gnutls26\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/gnutls26\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2869\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gnutls26 packages.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 2.8.6-1+squeeze3.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.12.20-8+deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gnutls26\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"gnutls-bin\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"gnutls-doc\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"guile-gnutls\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libgnutls-dev\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libgnutls26\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libgnutls26-dbg\", reference:\"2.8.6-1+squeeze3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"gnutls-bin\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"gnutls26-doc\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"guile-gnutls\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgnutls-dev\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgnutls-openssl27\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgnutls26\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgnutls26-dbg\", reference:\"2.12.20-8+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgnutlsxx27\", reference:\"2.12.20-8+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-06T09:29:23", "description": "Updated gnutls packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and\nfor protocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of\nthe Red Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages,\nwhich correct this issue. For the update to take effect, all\napplications linked to the GnuTLS library must be restarted.", "edition": 24, "published": "2014-03-05T00:00:00", "title": "CentOS 6 : gnutls (CESA-2014:0246)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:gnutls-devel", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:gnutls-utils", "p-cpe:/a:centos:centos:gnutls-guile", "p-cpe:/a:centos:centos:gnutls"], "id": "CENTOS_RHSA-2014-0246.NASL", "href": "https://www.tenable.com/plugins/nessus/72803", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0246 and \n# CentOS Errata and Security Advisory 2014:0246 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72803);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n script_xref(name:\"RHSA\", value:\"2014:0246\");\n\n script_name(english:\"CentOS 6 : gnutls (CESA-2014:0246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated gnutls packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and\nfor protocols such as Transport Layer Security (TLS).\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nThe CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of\nthe Red Hat Security Technologies Team.\n\nUsers of GnuTLS are advised to upgrade to these updated packages,\nwhich correct this issue. For the update to take effect, all\napplications linked to the GnuTLS library must be restarted.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-March/020185.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a33a9be3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnutls packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0092\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:gnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:gnutls-guile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:gnutls-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"gnutls-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"gnutls-devel-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"gnutls-guile-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"gnutls-utils-2.8.5-13.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls / gnutls-devel / gnutls-guile / gnutls-utils\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:12:34", "description": "Added fix for CVE-2014-0092\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-03-07T00:00:00", "title": "Fedora 20 : gnutls-3.1.20-4.fc20 (2014-3413)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gnutls", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-3413.NASL", "href": "https://www.tenable.com/plugins/nessus/72869", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-3413.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72869);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n script_xref(name:\"FEDORA\", value:\"2014-3413\");\n\n script_name(english:\"Fedora 20 : gnutls-3.1.20-4.fc20 (2014-3413)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Added fix for CVE-2014-0092\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1069865\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129476.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e39f07f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnutls package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"gnutls-3.1.20-4.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:27:25", "description": "The gnutls library was updated to fixed x509 certificate validation\nproblems, where man-in-the-middle attackers could hijack SSL\nconnections.\n\nThis update also reenables Elliptic Curve support to meet current day\ncryptographic requirements.", "edition": 19, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : gnutls (openSUSE-SU-2014:0325-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libgnutlsxx28-debuginfo", "p-cpe:/a:novell:opensuse:libgnutls28-debuginfo", "p-cpe:/a:novell:opensuse:libgnutls28-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libgnutls28", "p-cpe:/a:novell:opensuse:libgnutls-openssl-devel", "p-cpe:/a:novell:opensuse:libgnutlsxx28", "p-cpe:/a:novell:opensuse:libgnutls-openssl27-debuginfo", "p-cpe:/a:novell:opensuse:libgnutls28-32bit", "p-cpe:/a:novell:opensuse:libgnutlsxx-devel", "p-cpe:/a:novell:opensuse:libgnutls-openssl27", "p-cpe:/a:novell:opensuse:gnutls", "p-cpe:/a:novell:opensuse:libgnutls-devel", "p-cpe:/a:novell:opensuse:gnutls-debugsource", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:gnutls-debuginfo", "p-cpe:/a:novell:opensuse:libgnutls-devel-32bit"], "id": "OPENSUSE-2014-181.NASL", "href": "https://www.tenable.com/plugins/nessus/75274", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-181.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75274);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n\n script_name(english:\"openSUSE Security Update : gnutls (openSUSE-SU-2014:0325-1)\");\n script_summary(english:\"Check for the openSUSE-2014-181 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The gnutls library was updated to fixed x509 certificate validation\nproblems, where man-in-the-middle attackers could hijack SSL\nconnections.\n\nThis update also reenables Elliptic Curve support to meet current day\ncryptographic requirements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=865804\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-03/msg00004.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnutls packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gnutls-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gnutls-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls-openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls-openssl27\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls-openssl27-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls28\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls28-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls28-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutls28-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutlsxx-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutlsxx28\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgnutlsxx28-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"gnutls-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"gnutls-debuginfo-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"gnutls-debugsource-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls-devel-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls-openssl-devel-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls-openssl27-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls-openssl27-debuginfo-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls28-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutls28-debuginfo-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutlsxx-devel-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutlsxx28-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgnutlsxx28-debuginfo-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libgnutls-devel-32bit-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libgnutls28-32bit-3.2.4-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libgnutls28-debuginfo-32bit-3.2.4-2.14.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T09:10:42", "description": "New gnutls packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.", "edition": 24, "published": "2014-03-04T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-062-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-04T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:gnutls", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2014-062-01.NASL", "href": "https://www.tenable.com/plugins/nessus/72781", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2014-062-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72781);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n script_xref(name:\"SSA\", value:\"2014-062-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-062-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New gnutls packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.507575\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?93ea3041\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnutls package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"gnutls\", pkgver:\"2.8.4\", pkgarch:\"i486\", pkgnum:\"3_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"2.8.4\", pkgarch:\"x86_64\", pkgnum:\"3_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"gnutls\", pkgver:\"2.8.6\", pkgarch:\"i486\", pkgnum:\"3_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"2.8.6\", pkgarch:\"x86_64\", pkgnum:\"3_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"gnutls\", pkgver:\"2.10.5\", pkgarch:\"i486\", pkgnum:\"3_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"2.10.5\", pkgarch:\"x86_64\", pkgnum:\"3_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"gnutls\", pkgver:\"3.0.31\", pkgarch:\"i486\", pkgnum:\"3_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"3.0.31\", pkgarch:\"x86_64\", pkgnum:\"3_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"gnutls\", pkgver:\"3.1.22\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"3.1.22\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"gnutls\", pkgver:\"3.1.22\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"gnutls\", pkgver:\"3.1.22\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-01T01:23:09", "description": "It was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)", "edition": 26, "published": "2014-03-12T00:00:00", "title": "Amazon Linux AMI : gnutls (ALAS-2014-301)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:gnutls", "p-cpe:/a:amazon:linux:gnutls-debuginfo", "p-cpe:/a:amazon:linux:gnutls-utils", "p-cpe:/a:amazon:linux:gnutls-devel", "p-cpe:/a:amazon:linux:gnutls-guile", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-301.NASL", "href": "https://www.tenable.com/plugins/nessus/72949", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-301.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72949);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_xref(name:\"ALAS\", value:\"2014-301\");\n script_xref(name:\"RHSA\", value:\"2014:0246\");\n\n script_name(english:\"Amazon Linux AMI : gnutls (ALAS-2014-301)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-301.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update gnutls' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnutls-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnutls-guile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnutls-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"gnutls-2.8.5-13.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnutls-debuginfo-2.8.5-13.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnutls-devel-2.8.5-13.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnutls-guile-2.8.5-13.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnutls-utils-2.8.5-13.11.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls / gnutls-debuginfo / gnutls-devel / gnutls-guile / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T13:48:12", "description": "It was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nFor the update to take effect, all applications linked to the GnuTLS\nlibrary must be restarted.", "edition": 15, "published": "2014-03-04T00:00:00", "title": "Scientific Linux Security Update : gnutls on SL6.x i386/x86_64 (20140303)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-04T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:gnutls-debuginfo", "p-cpe:/a:fermilab:scientific_linux:gnutls-devel", "p-cpe:/a:fermilab:scientific_linux:gnutls-utils", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:gnutls-guile", "p-cpe:/a:fermilab:scientific_linux:gnutls"], "id": "SL_20140303_GNUTLS_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/72796", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72796);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-0092\");\n\n script_name(english:\"Scientific Linux Security Update : gnutls on SL6.x i386/x86_64 (20140303)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker. (CVE-2014-0092)\n\nFor the update to take effect, all applications linked to the GnuTLS\nlibrary must be restarted.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1403&L=scientific-linux-errata&T=0&P=199\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9288d1da\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:gnutls-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:gnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:gnutls-guile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:gnutls-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"gnutls-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gnutls-debuginfo-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gnutls-devel-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gnutls-guile-2.8.5-13.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gnutls-utils-2.8.5-13.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnutls / gnutls-debuginfo / gnutls-devel / gnutls-guile / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T11:54:33", "description": "Updated gnutls packages fix security vulnerability :\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker (CVE-2014-0092).", "edition": 25, "published": "2014-03-11T00:00:00", "title": "Mandriva Linux Security Advisory : gnutls (MDVSA-2014:048)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0092"], "modified": "2014-03-11T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:gnutls", "p-cpe:/a:mandriva:linux:lib64gnutls-ssl27", "p-cpe:/a:mandriva:linux:lib64gnutls-devel", "p-cpe:/a:mandriva:linux:lib64gnutls28"], "id": "MANDRIVA_MDVSA-2014-048.NASL", "href": "https://www.tenable.com/plugins/nessus/72919", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:048. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72919);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0092\");\n script_bugtraq_id(65919);\n script_xref(name:\"MDVSA\", value:\"2014:048\");\n\n script_name(english:\"Mandriva Linux Security Advisory : gnutls (MDVSA-2014:048)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated gnutls packages fix security vulnerability :\n\nIt was discovered that GnuTLS did not correctly handle certain errors\nthat could occur during the verification of an X.509 certificate,\ncausing it to incorrectly report a successful verification. An\nattacker could use this flaw to create a specially crafted certificate\nthat could be accepted by GnuTLS as valid for a site chosen by the\nattacker (CVE-2014-0092).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0117.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gnutls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gnutls-ssl27\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gnutls28\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"gnutls-3.0.28-1.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64gnutls-devel-3.0.28-1.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64gnutls-ssl27-3.0.28-1.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64gnutls28-3.0.28-1.2.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "ics": [{"lastseen": "2021-02-27T19:55:07", "bulletinFamily": "info", "cvelist": ["CVE-2014-0092"], "description": "## OVERVIEW\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-14-135-03 Siemens RuggedCom ROX-Based Devices Certificate Verification Vulnerability that was published May 15, 2014, on the NCCIC/ICS-CERT web site.\n\nSiemens has reported to ICS-CERT an incorrect certificate verification in RuggedCom ROX\u2011based devices. Siemens is working on a firmware update for the affected products.\n\nThis vulnerability could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nThe following Siemens RuggedCom ROX-based devices are affected:\n\n### **\\--------- Begin Update A Part 1 of 2 --------**\n\n * ROX 1 prior to Version 1.16.1,\n * ROX 2 prior to Version 2.6\n\n### **\\--------- End Update A Part 1 of 2 ----------**\n\n## IMPACT\n\nIn RuggedCom ROX-based devices, GnuTLS is used for client certificate verification. Because GnuTLS is vulnerable to an incorrect error handling issue within this function, an attacker would be able to perform man-in-the-middle attacks.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is an international company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health sectors, and transportation systems.\n\nThe affected products, RuggedCom switches and serial-to-Ethernet devices, are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### CRYPTOGRAPHIC ISSUESa\n\nROX-based RuggedCom devices use GnuTLS libraries to enable secure communication. GnuTLS suffers from incorrect error handling in certificate verification, which could allow man\u2011in-the-middle attacks, and this may affect multiple services in these devices.\n\nThe following client-side services use GnuTLS libraries:\n\n * Secure Syslog (only affects ROX Version 1.16)\n * Software upgrades with HTTPS-based connections. Nonsecure connections are not affected. (Only affects ROX Versions 2.4 and 2.5)\n * FTPS (only affects ROX versions from v2.2 through v2.5 inclusive)\n\nCVE-2014-0092b has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:P/A:N).c\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThis vulnerability could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target this vulnerability.\n\n#### DIFFICULTY\n\nAn attacker with a moderate skill would be able to exploit this vulnerability.\n\n## MITIGATION\n\n### **\\--------- Begin Update A Part 2 of 2 --------**\n\nSiemens has developed firmware update V2.6.0 for ROX 2 and V1.16.1 for ROX 1, which fixes the vulnerability. It can be obtained from Siemens from either of the following methods:\n\n * Submit a support request online:\n * <http://www.siemens.com/automation/support-request>\n * Call a local hotline center:\n * <http://www.automation.siemens.com/mcms/aspa-db/en/automation-technology/Pages/default.aspx>\n\n### **\\--------- End Update A Part 2 of 2 ----------**\n\nFor more information please see Siemens advisory SSA-839231 on this subject at its web site:\n\n<http://www.siemens.com/cert/advisories>\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * aCWE-310: Cryptographic Issues, http://cwe.mitre.org/data/definitions/310.html, web site last accessed May 15, 2014.\n * bNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0092, web site last accessed May 15, 2014.\n * cCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:N, web site last visited May 15, 2014.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-14-135-03A>); we'd welcome your feedback.\n", "modified": "2018-09-06T00:00:00", "published": "2014-10-16T00:00:00", "id": "ICSA-14-135-03A", "href": "https://www.us-cert.gov/ics/advisories/ICSA-14-135-03A", "type": "ics", "title": "Siemens RuggedCom ROX-based Devices Certificate Verification Vulnerability (Update A)", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959"], "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. ", "modified": "2014-03-06T08:17:02", "published": "2014-03-06T08:17:02", "id": "FEDORA:CFC6B20E12", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: gnutls-3.1.20-4.fc20", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959"], "description": "GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. ", "modified": "2014-03-15T15:25:21", "published": "2014-03-15T15:25:21", "id": "FEDORA:8291F2202C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mingw-gnutls-3.1.22-1.fc20", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959"], "description": "GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. ", "modified": "2014-03-15T15:22:59", "published": "2014-03-15T15:22:59", "id": "FEDORA:98D2B21BE8", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mingw-gnutls-3.1.22-1.fc19", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959", "CVE-2014-3466"], "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. ", "modified": "2014-06-04T07:53:52", "published": "2014-06-04T07:53:52", "id": "FEDORA:69B4D218A2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: gnutls-3.1.25-1.fc20", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959", "CVE-2014-3466"], "description": "GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. ", "modified": "2014-06-10T03:11:44", "published": "2014-06-10T03:11:44", "id": "FEDORA:B4A6022400", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mingw-gnutls-3.1.25-1.fc20", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4466", "CVE-2014-0092", "CVE-2014-1959"], "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. ", "modified": "2014-03-06T08:16:27", "published": "2014-03-06T08:16:27", "id": "FEDORA:5478421DA2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: gnutls-3.1.20-4.fc19", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959", "CVE-2014-3466"], "description": "GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. ", "modified": "2014-06-10T03:08:23", "published": "2014-06-10T03:08:23", "id": "FEDORA:875CF22191", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mingw-gnutls-3.1.25-1.fc19", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959", "CVE-2014-8564"], "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. ", "modified": "2014-11-13T18:22:50", "published": "2014-11-13T18:22:50", "id": "FEDORA:731A560D7581", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: gnutls-3.1.28-1.fc20", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4466", "CVE-2014-0092", "CVE-2014-1959", "CVE-2014-3466"], "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. ", "modified": "2014-06-10T03:11:55", "published": "2014-06-10T03:11:55", "id": "FEDORA:8754D2252A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: gnutls-3.1.20-5.fc19", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:30", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0092", "CVE-2014-1959"], "description": "\nGnuTLS project reports:\n\nA vulnerability was discovered that affects the\n\t certificate verification functions of all gnutls\n\t versions. A specially crafted certificate could\n\t bypass certificate validation checks. The\n\t vulnerability was discovered during an audit of\n\t GnuTLS for Red Hat.\n\n\nSuman Jana reported a vulnerability that affects\n\t the certificate verification functions of\n\t gnutls 2.11.5 and later versions. A version 1\n\t intermediate certificate will be considered as\n\t a CA certificate by default (something that\n\t deviates from the documented behavior).\n\n", "edition": 4, "modified": "2014-04-30T00:00:00", "published": "2014-03-03T00:00:00", "id": "F645AA90-A3E8-11E3-A422-3C970E169BC2", "href": "https://vuxml.freebsd.org/freebsd/f645aa90-a3e8-11e3-a422-3c970e169bc2.html", "title": "gnutls -- multiple certificate verification issues", "type": "freebsd", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:54", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1619", "CVE-2014-0092", "CVE-2013-2116"], "description": "[2.8.5-13]\n- fix CVE-2014-0092 (#1069890)\n[2.8.5-12]\n- fix CVE-2013-2116 - fix DoS regression in CVE-2013-1619\n upstream patch (#966754)\n[2.8.5-11]\n- fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238)", "edition": 4, "modified": "2014-03-03T00:00:00", "published": "2014-03-03T00:00:00", "id": "ELSA-2014-0246", "href": "http://linux.oracle.com/errata/ELSA-2014-0246.html", "title": "gnutls security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:04", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3466", "CVE-2014-3465", "CVE-2014-0092", "CVE-2014-1959"], "description": "### Background\n\nGnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0 protocols. \n\n### Description\n\nMultiple vulnerabilities have been discovered in GnuTLS. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could utilize multiple vectors to spoof arbitrary SSL servers via a crafted certificate, execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GnuTLS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/gnutls-2.12.23-r6\"", "edition": 1, "modified": "2014-06-13T00:00:00", "published": "2014-06-13T00:00:00", "id": "GLSA-201406-09", "href": "https://security.gentoo.org/glsa/201406-09", "type": "gentoo", "title": "GnuTLS: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
