{"description": "GnuTLS has been patched to ensure proper parsing of session ids during the\n TLS/SSL handshake. Additionally, three issues inherited from libtasn1 have\n been fixed.\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>&gt;\n\n These security issues have been fixed:\n\n * Possible memory corruption during connect (CVE-2014-3466)\n * Multiple boundary check issues could allow DoS (CVE-2014-3467)\n * asn1_get_bit_der() can return negative bit length (CVE-2014-3468)\n * Possible DoS by NULL pointer dereference (CVE-2014-3469)\n", "viewCount": 1, "id": "SUSE-SU-2014:0758-1", "lastseen": "2016-09-04T12:27:23", "hash": "cbf29cb85da19c684fc0edd80cf6eef769f3725a018f74aae09bc862f875a27e", "objectVersion": "1.2", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "bulletinFamily": "unix", "published": "2014-06-05T03:04:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00002.html", "references": ["https://bugzilla.novell.com/880910", "http://download.suse.com/patch/finder/?keywords=cbb1ebdf6ecb2e49e09ac0ae8fadfbfc", "https://bugzilla.novell.com/880730"], "edition": 1, "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "title": "Security update for gnutls (important)", "reporter": "Suse", "history": [], "modified": "2014-06-05T03:04:15", "enchantments": {"vulnersScore": 5.0}, "type": "suse", "affectedPackage": [{"arch": "x86_64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-32bit-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-32bit", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Desktop", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise High Availability Extension", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls26-x86-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-x86", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls-extra-devel-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-extra-devel-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "ia64", "packageFilename": "gnutls-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-devel-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Desktop", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise High Availability Extension", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-32bit-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-32bit", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls-devel-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls-extra-devel-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "gnutls-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "i586", "packageFilename": "gnutls-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls26-32bit-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-32bit", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls-extra-devel-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "s390x", "packageFilename": "gnutls-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "i586", "packageFilename": "gnutls-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls-devel-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise High Availability Extension", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls-extra-devel-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls-devel-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "gnutls-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Desktop", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "gnutls-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-32bit-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-32bit", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "ia64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ia64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise High Availability Extension", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "gnutls-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server for VMware", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls-devel-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-devel", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "libgnutls26-2.4.1-24.39.51.1.x86_64.rpm", "OSVersion": "11.3", "packageName": "libgnutls26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Desktop", "operator": "lt"}, {"arch": "i586", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Software Development Kit", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "libgnutls-extra26-2.4.1-24.39.51.1.ppc64.rpm", "OSVersion": "11.3", "packageName": "libgnutls-extra26", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise High Availability Extension", "operator": "lt"}, {"arch": "i586", "packageFilename": "gnutls-2.4.1-24.39.51.1.i586.rpm", "OSVersion": "11.3", "packageName": "gnutls", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Desktop", "operator": "lt"}, {"arch": "s390x", "packageFilename": "libgnutls26-32bit-2.4.1-24.39.51.1.s390x.rpm", "OSVersion": "11.3", "packageName": "libgnutls26-32bit", "packageVersion": "2.4.1-24.39.51.1", "OS": "SUSE Linux Enterprise Server", "operator": "lt"}]}

{"result": {"cve": [{"id": "CVE-2014-3466", "type": "cve", "title": "CVE-2014-3466", "description": "Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.", "published": "2014-06-03T10:55:10", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-12-29T12:18:19"}, {"id": "CVE-2014-3468", "type": "cve", "title": "CVE-2014-3468", "description": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.", "published": "2014-06-05T16:55:06", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3468", "cvelist": ["CVE-2014-3468"], "lastseen": "2017-12-29T12:18:19"}, {"id": "CVE-2014-3469", "type": "cve", "title": "CVE-2014-3469", "description": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.", "published": "2014-06-05T16:55:06", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3469", "cvelist": ["CVE-2014-3469"], "lastseen": "2017-12-29T12:18:19"}, {"id": "CVE-2014-3467", "type": "cve", "title": "CVE-2014-3467", "description": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.", "published": "2014-06-05T16:55:06", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3467", "cvelist": ["CVE-2014-3467"], "lastseen": "2017-12-29T12:18:19"}], "f5": [{"id": "SOL15345", "type": "f5", "title": "SOL15345 - GnuTLS vulnerability CVE-2014-3466", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "published": "2014-06-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15345.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-26T17:23:31"}, {"id": "F5:K15423", "type": "f5", "title": "GNU Libtasn1 vulnerabilities CVE-2014-3467 and CVE-2014-3468", "description": "\nF5 Product Development has assigned ID 470817 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | None \n| 11.0.0 - 11.5.1 \n10.0.0 - 10.2.4 \n| None \nBIG-IP AAM | None | 11.4.0 - 11.5.1 \n| None \nBIG-IP AFM | None | 11.3.0 - 11.5.1 \n| None \nBIG-IP Analytics | None | 11.0.0 - 11.5.1 \n| None \nBIG-IP APM | None | 11.0.0 - 11.5.1 \n10.1.0 - 10.2.4 \n| None \nBIG-IP ASM | None | 11.0.0 - 11.5.1 \n10.0.0 - 10.2.4 | None \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None \nBIG-IP GTM | None | 11.0.0 - 11.5.1 \n10.0.0 - 10.2.4 | None \nBIG-IP Link Controller | None \n| 11.0.0 - 11.5.1 \n10.0.0 - 10.2.4 \n| None \nBIG-IP PEM | None \n| 11.3.0 - 11.5.1 \n| None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 | None \nARX | 6.0.0 - 6.4.0 | None | ARX GUI \n \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0 | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | None \nBIG-IQ Cloud | None \n| 4.0.0 - 4.3.0 \n| None \nBIG-IQ Device | None \n| 4.2.0 - 4.3.0 \n| None \nBIG-IQ Security | None \n| 4.0.0 - 4.3.0 \n| None \nLineRate | None | 2.2.0 - 2.4.0 \n1.6.0 - 1.6.4 \n| None\n\n**ARX**\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2014-07-17T18:28:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K15423", "cvelist": ["CVE-2014-3468", "CVE-2014-3467"], "lastseen": "2017-06-08T00:16:30"}, {"id": "SOL15423", "type": "f5", "title": "SOL15423 - GNU Libtasn1 vulnerabilities CVE-2014-3467 and CVE-2014-3468", "description": "Vulnerability Recommended Actions\n\n**ARX**\n\nIf the previous table lists a version in the\u00c2 **Versions known to be not vulnerable**\u00c2 column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2014-07-17T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/15000/400/sol15423.html", "cvelist": ["CVE-2014-3468", "CVE-2014-3467"], "lastseen": "2016-12-03T05:27:38"}], "nessus": [{"id": "UBUNTU_USN-2229-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : gnutls26 vulnerability (USN-2229-1)", "description": "Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-06-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74285", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:43:20"}, {"id": "FEDORA_2014-6963.NASL", "type": "nessus", "title": "Fedora 19 : mingw-gnutls-3.1.25-1.fc19 (2014-6963)", "description": "Version 3.1.25 (released 2014-05-30)\n\n - libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon.\n\n - libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem.\n\n - libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-06-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74413", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:37:32"}, {"id": "SL_20140603_GNUTLS_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : gnutls on SL6.x i386/x86_64", "description": "A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)\n\nFor the update to take effect, all applications linked to the GnuTLS library must be restarted.", "published": "2014-06-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74306", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:39:40"}, {"id": "FREEBSD_PKG_9733C480EBFF11E3970B206A8A720317.NASL", "type": "nessus", "title": "FreeBSD : gnutls -- client-side memory corruption (9733c480-ebff-11e3-970b-206a8a720317)", "description": "GnuTLS project reports :\n\nThis vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.", "published": "2014-06-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74318", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:44:25"}, {"id": "FEDORA_2014-6881.NASL", "type": "nessus", "title": "Fedora 19 : gnutls-3.1.20-5.fc19 (2014-6881)", "description": "Added fix for CVE-2014-3466\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-06-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74403", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:37:59"}, {"id": "REDHAT-RHSA-2014-0595.NASL", "type": "nessus", "title": "RHEL 6 : gnutls (RHSA-2014:0595)", "description": "Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)\n\nRed Hat would like to thank GnuTLS upstream for reporting this issue.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.", "published": "2014-06-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74302", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:41:43"}, {"id": "FEDORA_2014-6953.NASL", "type": "nessus", "title": "Fedora 20 : mingw-gnutls-3.1.25-1.fc20 (2014-6953)", "description": "Version 3.1.25 (released 2014-05-30)\n\n - libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon.\n\n - libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem.\n\n - libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni.\n\nVersion 3.2.14 (released 2014-05-06)\n\n - libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio.\n\n - libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided.\n\n - libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided.\n\n - libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite.\n\n - libgnutls: Several small bug fixes found by coverity.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-06-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74410", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:39:12"}, {"id": "ALA_ALAS-2014-352.NASL", "type": "nessus", "title": "Amazon Linux AMI : gnutls (ALAS-2014-352)", "description": "A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)", "published": "2014-10-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=78295", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-04-19T08:03:36"}, {"id": "ORACLELINUX_ELSA-2014-0595.NASL", "type": "nessus", "title": "Oracle Linux 6 : gnutls (ELSA-2014-0595)", "description": "From Red Hat Security Advisory 2014:0595 :\n\nUpdated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)\n\nRed Hat would like to thank GnuTLS upstream for reporting this issue.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.", "published": "2014-06-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74297", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-07-21T07:50:03"}, {"id": "CENTOS_RHSA-2014-0595.NASL", "type": "nessus", "title": "CentOS 6 : gnutls (CESA-2014:0595)", "description": "Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)\n\nRed Hat would like to thank GnuTLS upstream for reporting this issue.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.", "published": "2014-06-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74310", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-29T13:45:53"}], "ubuntu": [{"id": "USN-2229-1", "type": "ubuntu", "title": "GnuTLS vulnerability", "description": "Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.", "published": "2014-06-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2229-1/", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-03-29T18:20:10"}, {"id": "USN-2294-1", "type": "ubuntu", "title": "Libtasn1 vulnerabilities", "description": "It was discovered that Libtasn1 incorrectly handled certain ASN.1 data structures. An attacker could exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service. (CVE-2014-3467)\n\nIt was discovered that Libtasn1 incorrectly handled negative bit lengths. An attacker could exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-3468)\n\nIt was discovered that Libtasn1 incorrectly handled certain ASN.1 data. An attacker could exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service. (CVE-2014-3469)", "published": "2014-07-22T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2294-1/", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2018-03-29T18:17:48"}], "openvas": [{"id": "OPENVAS:702944", "type": "openvas", "title": "Debian Security Advisory DSA 2944-1 (gnutls26 - security update)", "description": "Joonas Kuorilehto discovered that GNU TLS performed insufficient\nvalidation of session IDs during TLS/SSL handshakes. A malicious server\ncould use this to execute arbitrary code or perform denial of service.", "published": "2014-06-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=702944", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-08-03T10:49:08"}, {"id": "OPENVAS:1361412562310871171", "type": "openvas", "title": "RedHat Update for gnutls RHSA-2014:0595-01", "description": "Check for the Version of gnutls", "published": "2014-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871171", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-04-09T11:13:05"}, {"id": "OPENVAS:1361412562310120309", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2014-352", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120309", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-08-03T10:49:02"}, {"id": "OPENVAS:1361412562310123405", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0595", "description": "Oracle Linux Local Security Checks ELSA-2014-0595", "published": "2015-10-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123405", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-07-24T12:53:42"}, {"id": "OPENVAS:1361412562310841842", "type": "openvas", "title": "Ubuntu Update for gnutls26 USN-2229-1", "description": "Check for the Version of gnutls26", "published": "2014-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841842", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-04-30T13:49:36"}, {"id": "OPENVAS:1361412562310881947", "type": "openvas", "title": "CentOS Update for gnutls CESA-2014:0595 centos6 ", "description": "Check for the Version of gnutls", "published": "2014-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881947", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-04-09T11:13:16"}, {"id": "OPENVAS:1361412562310702944", "type": "openvas", "title": "Debian Security Advisory DSA 2944-1 (gnutls26 - security update)", "description": "Joonas Kuorilehto discovered that GNU TLS performed insufficient\nvalidation of session IDs during TLS/SSL handshakes. A malicious server\ncould use this to execute arbitrary code or perform denial of service.", "published": "2014-06-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702944", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-04-06T11:12:37"}, {"id": "OPENVAS:1361412562310850588", "type": "openvas", "title": "SuSE Update for gnutls openSUSE-SU-2014:0763-1 (gnutls)", "description": "Check for the Version of gnutls", "published": "2014-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850588", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2018-04-09T11:13:27"}, {"id": "OPENVAS:1361412562310850589", "type": "openvas", "title": "SuSE Update for gnutls openSUSE-SU-2014:0767-1 (gnutls)", "description": "Check for the Version of gnutls", "published": "2014-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850589", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2018-04-09T11:12:01"}, {"id": "OPENVAS:1361412562310871186", "type": "openvas", "title": "RedHat Update for gnutls RHSA-2014:0684-01", "description": "Check for the Version of gnutls", "published": "2014-07-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871186", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2018-04-09T11:12:07"}], "freebsd": [{"id": "9733C480-EBFF-11E3-970B-206A8A720317", "type": "freebsd", "title": "gnutls -- client-side memory corruption", "description": "\nGnuTLS project reports:\n\nThis vulnerability affects the client side of the gnutls library.\n\t A server that sends a specially crafted ServerHello could corrupt\n\t the memory of a requesting client.\n\n", "published": "2014-05-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/9733c480-ebff-11e3-970b-206a8a720317.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-26T17:24:24"}, {"id": "027AF74D-EB56-11E3-9032-000C2980A9F3", "type": "freebsd", "title": "gnutls -- client-side memory corruption", "description": "\nGnuTLS project reports:\n\nThis vulnerability affects the client side of the gnutls library.\n\t A server that sends a specially crafted ServerHello could corrupt\n\t the memory of a requesting client.\n\n", "published": "2014-05-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/027af74d-eb56-11e3-9032-000c2980a9f3.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-26T17:24:24"}], "oraclelinux": [{"id": "ELSA-2014-0595", "type": "oraclelinux", "title": "gnutls security update", "description": "[2.8.5-14]\n- fix session ID length check (#1102024)", "published": "2014-06-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0595.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-04T11:16:59"}, {"id": "ELSA-2014-0684", "type": "oraclelinux", "title": "gnutls security update", "description": "[3.1.18-9]\n- fix session ID length check (#1102027)\n- fixes null pointer dereference (#1101727)", "published": "2014-07-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0684.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2016-09-04T11:16:30"}, {"id": "ELSA-2014-0594", "type": "oraclelinux", "title": "gnutls security update", "description": "[1.4.1-16]\n- added missing check for null pointer (#1102355)\n[1.4.1-15]\n- fix session ID length check and null pointer dereference (#1102355)\n- fix minitasn1 issues (#1102355)\n- Renamed gnutls-1.4.1-cve-2014-5138.patch to cve-2009-5138.patch", "published": "2014-06-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0594.html", "cvelist": ["CVE-2009-5138", "CVE-2014-3466", "CVE-2014-3468", "CVE-2014-5138", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2017-06-22T16:18:25"}, {"id": "ELSA-2014-0687", "type": "oraclelinux", "title": "libtasn1 security update", "description": "[3.3-5]\n- Added missing check for null pointer (#1102338)\n[3.3-4]\n- Fix multiple decoding issues (#1102338)", "published": "2014-07-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0687.html", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T11:16:13"}, {"id": "ELSA-2014-0596", "type": "oraclelinux", "title": "libtasn1 security update", "description": "[2.3-6]\n- added check for null pointer (#1102336)\n[2.3-5]\n- fix various DER decoding issues (#1102336)\n[2.3-4]\n- fix CVE-2012-1569 - missing length check when decoding DER lengths (#804920)", "published": "2014-06-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0596.html", "cvelist": ["CVE-2014-3468", "CVE-2012-1569", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T11:17:01"}], "amazon": [{"id": "ALAS-2014-352", "type": "amazon", "title": "Important: gnutls", "description": "**Issue Overview:**\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. ([CVE-2014-3466 __](<https://access.redhat.com/security/cve/CVE-2014-3466>))\n\n \n**Affected Packages:** \n\n\ngnutls\n\n \n**Issue Correction:** \nRun _yum update gnutls_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n gnutls-devel-2.8.5-14.13.amzn1.i686 \n gnutls-utils-2.8.5-14.13.amzn1.i686 \n gnutls-2.8.5-14.13.amzn1.i686 \n gnutls-debuginfo-2.8.5-14.13.amzn1.i686 \n gnutls-guile-2.8.5-14.13.amzn1.i686 \n \n src: \n gnutls-2.8.5-14.13.amzn1.src \n \n x86_64: \n gnutls-guile-2.8.5-14.13.amzn1.x86_64 \n gnutls-utils-2.8.5-14.13.amzn1.x86_64 \n gnutls-2.8.5-14.13.amzn1.x86_64 \n gnutls-debuginfo-2.8.5-14.13.amzn1.x86_64 \n gnutls-devel-2.8.5-14.13.amzn1.x86_64 \n \n \n", "published": "2014-06-05T15:38:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-352.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-28T21:04:07"}, {"id": "ALAS-2014-359", "type": "amazon", "title": "Medium: libtasn1", "description": "**Issue Overview:**\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. ([CVE-2014-3468 __](<https://access.redhat.com/security/cve/CVE-2014-3468>))\n\nMultiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. ([CVE-2014-3467 __](<https://access.redhat.com/security/cve/CVE-2014-3467>))\n\nMultiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. ([CVE-2014-3469 __](<https://access.redhat.com/security/cve/CVE-2014-3469>))\n\n \n**Affected Packages:** \n\n\nlibtasn1\n\n \n**Issue Correction:** \nRun _yum update libtasn1_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n libtasn1-devel-2.3-6.6.amzn1.i686 \n libtasn1-2.3-6.6.amzn1.i686 \n libtasn1-tools-2.3-6.6.amzn1.i686 \n libtasn1-debuginfo-2.3-6.6.amzn1.i686 \n \n src: \n libtasn1-2.3-6.6.amzn1.src \n \n x86_64: \n libtasn1-debuginfo-2.3-6.6.amzn1.x86_64 \n libtasn1-2.3-6.6.amzn1.x86_64 \n libtasn1-devel-2.3-6.6.amzn1.x86_64 \n libtasn1-tools-2.3-6.6.amzn1.x86_64 \n \n \n", "published": "2014-06-15T16:22:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-359.html", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-28T21:03:57"}], "debian": [{"id": "DSA-2944", "type": "debian", "title": "gnutls26 -- security update", "description": "Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial of service.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 2.12.20-8+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 2.12.23-16.\n\nWe recommend that you upgrade your gnutls26 packages.", "published": "2014-06-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2944", "cvelist": ["CVE-2014-3466"], "lastseen": "2016-09-02T18:19:12"}, {"id": "DSA-3056", "type": "debian", "title": "libtasn1-3 -- security update", "description": "Several vulnerabilities were discovered in libtasn1-3, a library that manages ASN1 (Abstract Syntax Notation One) structures. An attacker could use those to cause a denial-of-service via out-of-bounds access or NULL pointer dereference.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 2.13-2+deb7u1.\n\nWe recommend that you upgrade your libtasn1-3 packages.", "published": "2014-10-26T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3056", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-02T18:32:02"}, {"id": "DLA-77", "type": "debian", "title": "libtasn1-3 -- LTS security update", "description": "Several vulnerabilities were discovered in libtasn1-3, a library that manages ASN1 (Abstract Syntax Notation One) structures. An attacker could use those to cause a denial-of-service via out-of-bounds access or NULL pointer dereference.\n\nFor Debian 6 Squeeze, these issues have been fixed in libtasn1-3 version 2.7-1+squeeze+2", "published": "2014-10-26T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/2014/dla-77", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2018-07-04T01:26:52"}], "centos": [{"id": "CESA-2014:0595", "type": "centos", "title": "gnutls security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0595\n\n\nThe GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nRed Hat would like to thank GnuTLS upstream for reporting this issue.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original\nreporter.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-June/020338.html\n\n**Affected packages:**\ngnutls\ngnutls-devel\ngnutls-guile\ngnutls-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0595.html", "published": "2014-06-04T09:21:48", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-June/020338.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2017-10-03T18:26:31"}, {"id": "CESA-2014:0594", "type": "centos", "title": "gnutls security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0594\n\n\nThe GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS). The gnutls packages also\ninclude the libtasn1 library, which provides Abstract Syntax Notation One\n(ASN.1) parsing and structures management, and Distinguished Encoding Rules\n(DER) encoding and decoding functions.\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original\nreporter of CVE-2014-3466.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the GnuTLS or libtasn1 library must be restarted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-June/020339.html\n\n**Affected packages:**\ngnutls\ngnutls-devel\ngnutls-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0594.html", "published": "2014-06-04T09:31:23", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-June/020339.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2017-10-03T18:26:33"}, {"id": "CESA-2014:0596", "type": "centos", "title": "libtasn1 security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0596\n\n\nThe libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing\nand structures management, and Distinguished Encoding Rules (DER) encoding\nand decoding functions.\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\n\nAll libtasn1 users are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the libtasn1 library must be restarted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-June/020341.html\n\n**Affected packages:**\nlibtasn1\nlibtasn1-devel\nlibtasn1-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0596.html", "published": "2014-06-04T10:04:23", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-June/020341.html", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2017-10-03T18:25:05"}], "thn": [{"id": "THN:9E0F4544CFCEA19BA1AC11F066388B3E", "type": "thn", "title": "Critical GnuTLS Flaw Leaves SSL Clients Vulnerable to Remote Code Execution", "description": "[](<https://1.bp.blogspot.com/-r4FXV5Dmo_g/U48aWOh5dKI/AAAAAAAAb8A/oWWdl5A3LHc/s1600/gnutsl-hello-encryption.jpg>)\n\nGnuTLS, a widely used open source SSL/TLS cryptographic library is vulnerable to a buffer overflow vulnerability that could be exploited to crash TLS clients or potentially execute malicious code on underlying systems.\n\n \n\n\nThe GnuTLS library implements secure sockets layer (SSL) and transport layer security (TLS) protocols on computers, servers, and softwares to provide encrypted communications over insecure channels.\n\n \n\n\nThe bug (_CVE-2014-3466_) was independently discovered by Joonas Kuorilehto of security firm Codenomicon, the same security firm who discovered the biggest Internet vulnerability, Heartbleed. Unlike Heartbleed, the GnuTLS library is not as widely deployed as OpenSSL.\n\n \n\n\nThe GnuTLS Vulnerability resides in the way GnuTLS parses the [session ID](<https://www.gitorious.org/gnutls/gnutls/source/8d7d6c6154e01afbe73bb201d6f438b62d75becb:lib/gnutls_handshake.c#L1747>) from the server response during a TLS handshake. It does not check the length of session ID value in the ServerHello message, which allows a malicious server to send an excessively long value in order to execute buffer overflow. Reported Flaw could be exploited by sending payload code from malicious server to clients as they establish encrypted HTTPS connections.\n\n[](<https://1.bp.blogspot.com/-omBXyLR6n40/U48YDcb9l_I/AAAAAAAAb70/k5Qk1gFogFI/s1600/gnutls-session-id.png>)\n\nHeartbleed could be exploited from both sides i.e. Server (the computer connected to) or the Client (i.e. the computer that initiated the connection), whereas the GnuTLS Remote Code Execution vulnerability will only works from the server to a connecting client.\n\n \n\n\nRed Hat has already [issues](<https://bugzilla.redhat.com/show_bug.cgi?id=1101932>) a patch for this vulnerability as \u201c_A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake_,\u201d and its Bug Tracker explained: \u201c_A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code_.\u201d\n\n \n\n\n\"_The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length_.\u201d\n\n \n\n\nRadare blog also published an in-depth [technical analysis](<http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/>) including the proof-of-concept of the this vulnerability, which indicates that it can be exploited by any threat actor to execute any type of malicious code. While, the GnuTLS project has already issued [updated version](<https://www.gnutls.org/security.html>) 3.1.25, 3.2.15 and 3.3.3 in order to patch the vulnerability.\n", "published": "2014-06-04T02:15:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://thehackernews.com/2014/06/critical-gnutls-flaw-leaves-ssl-clients.html", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-01-27T09:17:50"}], "redhat": [{"id": "RHSA-2014:0595", "type": "redhat", "title": "(RHSA-2014:0595) Important: gnutls security update", "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nRed Hat would like to thank GnuTLS upstream for reporting this issue.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original\nreporter.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect this issue. For the update to take effect, all applications linked\nto the GnuTLS library must be restarted.\n", "published": "2014-06-03T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0595", "cvelist": ["CVE-2014-3466"], "lastseen": "2018-06-12T21:10:17"}, {"id": "RHSA-2014:0684", "type": "redhat", "title": "(RHSA-2014:0684) Important: gnutls security update", "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS).\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nA NULL pointer dereference flaw was found in the way GnuTLS parsed X.509\ncertificates. A specially crafted certificate could cause a server or\nclient application using GnuTLS to crash. (CVE-2014-3465)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original\nreporter of CVE-2014-3466.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the GnuTLS library must be restarted.\n", "published": "2014-06-10T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0684", "cvelist": ["CVE-2014-3465", "CVE-2014-3466"], "lastseen": "2018-04-15T12:23:25"}, {"id": "RHSA-2014:0594", "type": "redhat", "title": "(RHSA-2014:0594) Important: gnutls security update", "description": "The GnuTLS library provides support for cryptographic algorithms and for\nprotocols such as Transport Layer Security (TLS). The gnutls packages also\ninclude the libtasn1 library, which provides Abstract Syntax Notation One\n(ASN.1) parsing and structures management, and Distinguished Encoding Rules\n(DER) encoding and decoding functions.\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\nUpstream acknowledges Joonas Kuorilehto of Codenomicon as the original\nreporter of CVE-2014-3466.\n\nUsers of GnuTLS are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the GnuTLS or libtasn1 library must be restarted.\n", "published": "2014-06-03T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0594", "cvelist": ["CVE-2014-3466", "CVE-2014-3467", "CVE-2014-3468", "CVE-2014-3469"], "lastseen": "2017-09-09T07:19:59"}, {"id": "RHSA-2014:0815", "type": "redhat", "title": "(RHSA-2014:0815) Important: rhev-hypervisor6 security update", "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting CVE-2014-3466,\nCVE-2014-3468, CVE-2014-3467, and CVE-2014-3469. Upstream acknowledges\nJoonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466.\n\nThis updated package provides an updated kernel component that includes\nfixes for various security issues. These issues have no security impact on\nRed Hat Enterprise Virtualization Hypervisor itself, however. The security\nfixes included in this update address the following CVE numbers:\n\nCVE-2013-6378, CVE-2014-0203, CVE-2014-1737, CVE-2014-1738, CVE-2014-1874,\nCVE-2014-2039 and CVE-2014-3153 (kernel issues)\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package.\n", "published": "2014-06-30T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0815", "cvelist": ["CVE-2013-6378", "CVE-2014-0203", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-1874", "CVE-2014-2039", "CVE-2014-3153", "CVE-2014-3466", "CVE-2014-3467", "CVE-2014-3468", "CVE-2014-3469"], "lastseen": "2018-06-13T00:00:41"}, {"id": "RHSA-2014:0596", "type": "redhat", "title": "(RHSA-2014:0596) Moderate: libtasn1 security update", "description": "The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing\nand structures management, and Distinguished Encoding Rules (DER) encoding\nand decoding functions.\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\n\nAll libtasn1 users are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the libtasn1 library must be restarted.\n", "published": "2014-06-03T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0596", "cvelist": ["CVE-2014-3467", "CVE-2014-3468", "CVE-2014-3469"], "lastseen": "2018-06-06T18:05:16"}, {"id": "RHSA-2014:0687", "type": "redhat", "title": "(RHSA-2014:0687) Moderate: libtasn1 security update", "description": "The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing\nand structures management, and Distinguished Encoding Rules (DER) encoding\nand decoding functions.\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting these issues.\n\nAll libtasn1 users are advised to upgrade to these updated packages, which\ncorrect these issues. For the update to take effect, all applications\nlinked to the libtasn1 library must be restarted.\n", "published": "2014-06-10T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0687", "cvelist": ["CVE-2014-3467", "CVE-2014-3468", "CVE-2014-3469"], "lastseen": "2018-04-15T14:24:23"}], "suse": [{"id": "OPENSUSE-SU-2014:0767-1", "type": "suse", "title": "gnutls: Fixed possible memory corruption (important)", "description": "gnutls was patched to fix security vulnerability that could be used to\n disrupt service or potentially allow remote code execution.\n - Memory corruption during connect (CVE-2014-3466)\n - NULL pointer dereference in gnutls_x509_dn_oid_name (CVE-2014-3465)\n\n", "published": "2014-06-06T12:23:49", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00010.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2016-09-04T12:25:26"}, {"id": "OPENSUSE-SU-2014:0763-1", "type": "suse", "title": "gnutls: Fixed possible memory corruption and NULL pointer dereference (important)", "description": "gnutls was patched to fix two security vulnerabilities that could be used\n to disrupt service or potentially allow remote code execution.\n\n - Memory corruption during connect (CVE-2014-3466)\n - NULL pointer dereference in gnutls_x509_dn_oid_name (CVE-2014-3465)\n\n", "published": "2014-06-06T11:04:14", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00007.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3465"], "lastseen": "2016-09-04T11:41:56"}, {"id": "SUSE-SU-2014:0758-2", "type": "suse", "title": "Security update for GnuTLS (important)", "description": "GnuTLS has been patched to ensure proper parsing of session ids during the\n TLS/SSL handshake. Additionally three issues inherited from libtasn1 have\n been fixed.\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>&gt;\n\n These security issues have been fixed:\n\n * Possible memory corruption during connect (CVE-2014-3466)\n * Multiple boundary check issues could allow DoS (CVE-2014-3467)\n * asn1_get_bit_der() can return negative bit length (CVE-2014-3468)\n * Possible DoS by NULL pointer dereference (CVE-2014-3469)\n", "published": "2014-06-13T02:04:36", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00016.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T11:38:48"}, {"id": "SUSE-SU-2014:0800-1", "type": "suse", "title": "Security update for GnuTLS (important)", "description": "GnuTLS has been patched to ensure proper parsing of session ids during the\n TLS/SSL handshake. Additionally three issues inherited from libtasn1 have\n been fixed.\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>&gt;\n\n These security issues have been fixed:\n\n * Possible memory corruption during connect (CVE-2014-3466)\n * Multiple boundary check issues could allow DoS (CVE-2014-3467)\n * asn1_get_bit_der() can return negative bit length (CVE-2014-3468)\n * Possible DoS by NULL pointer dereference (CVE-2014-3469)\n * Possible timing side-channel attack (Lucky 13) (CVE-2013-1619)\n\n One additional bug has been fixed:\n\n * Allow unsafe renegotiation (bnc#554084)\n", "published": "2014-06-16T18:04:14", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00020.html", "cvelist": ["CVE-2013-1619", "CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T12:07:45"}, {"id": "SUSE-SU-2014:0788-2", "type": "suse", "title": "Security update for GnuTLS (important)", "description": "GnuTLS has been patched to ensure proper parsing of session ids during the\n TLS/SSL handshake. Additionally three issues inherited from libtasn1 have\n been fixed.\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>&gt;\n\n These security issues have been fixed:\n\n * Possible memory corruption during connect (CVE-2014-3466)\n * Multiple boundary check issues could allow DoS (CVE-2014-3467)\n * asn1_get_bit_der() can return negative bit length (CVE-2014-3468)\n * Possible DoS by NULL pointer dereference (CVE-2014-3469)\n", "published": "2014-06-13T20:04:13", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00017.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T11:45:32"}, {"id": "SUSE-SU-2014:0788-1", "type": "suse", "title": "Security update for GnuTLS (important)", "description": "GnuTLS was patched to ensure proper parsing of session ids during the\n TLS/SSL handshake. Additionally three issues inherited from libtasn1 were\n fixed.\n\n * Possible memory corruption during connect. (CVE-2014-3466)\n * Multiple boundary check issues could allow DoS. (CVE-2014-3467)\n * asn1_get_bit_der() can return negative bit length. (CVE-2014-3468)\n * Possible DoS by NULL pointer dereference. (CVE-2014-3469)\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.gnutls.org/security.html#GNUTLS-SA-2014-3\">http://www.gnutls.org/security.html#GNUTLS-SA-2014-3</a>&gt; .\n\n Security Issues references:\n\n * CVE-2014-3466\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466</a>&gt;\n * CVE-2014-3467\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467</a>&gt;\n * CVE-2014-3468\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468</a>&gt;\n * CVE-2014-3469\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469</a>&gt;\n\n", "published": "2014-06-13T00:04:29", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00015.html", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T12:03:35"}, {"id": "SUSE-SU-2014:0931-1", "type": "suse", "title": "Security update for libtasn1 (important)", "description": "libtasn1 has been updated to fix three security issues:\n\n * asn1_get_bit_der() could have returned negative bit length\n (CVE-2014-3468)\n * Multiple boundary check issues could have allowed DoS (CVE-2014-3467)\n * Possible DoS by NULL pointer dereference in asn1_read_value_type\n (CVE-2014-3469)\n\n Security Issues:\n\n * CVE-2014-3468\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468</a>&gt;\n * CVE-2014-3467\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467</a>&gt;\n * CVE-2014-3469\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469</a>&gt;\n\n", "published": "2014-07-24T03:05:20", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00019.html", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-04T11:40:33"}], "gentoo": [{"id": "GLSA-201406-09", "type": "gentoo", "title": "GnuTLS: Multiple vulnerabilities", "description": "### Background\n\nGnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0 protocols. \n\n### Description\n\nMultiple vulnerabilities have been discovered in GnuTLS. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could utilize multiple vectors to spoof arbitrary SSL servers via a crafted certificate, execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GnuTLS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/gnutls-2.12.23-r6\"", "published": "2014-06-13T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201406-09", "cvelist": ["CVE-2014-3466", "CVE-2014-3465", "CVE-2014-0092", "CVE-2014-1959"], "lastseen": "2016-09-06T19:47:04"}, {"id": "GLSA-201408-09", "type": "gentoo", "title": "GNU Libtasn1: Multiple vulnerabilities", "description": "### Background\n\nThe ASN.1 library used in GNUTLS.\n\n### Description\n\nMultiple vulnerabilities have been discovered in GNU Libtasn1. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA context-dependent attacker could possibly cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GNU Libtasn1 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/libtasn1-3.6\"\n \n\nPackages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.", "published": "2014-08-29T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201408-09", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2016-09-06T19:46:42"}], "slackware": [{"id": "SSA-2014-156-01", "type": "slackware", "title": "gnutls", "description": "New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/gnutls-3.1.25-i486-1_slack14.1.txz: Upgraded.\n A security issue has been corrected in gnutls. This vulnerability\n affects the client side of the gnutls library. A server that sends\n a specially crafted ServerHello could corrupt the memory of a requesting\n client. This may allow a remote attacker to execute arbitrary code.\n Additional vulnerabilities in the embedded libtasn1 library have also\n been patched.\n Thanks to mancha for the backported patches.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnutls-2.8.4-i486-4_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnutls-2.8.4-x86_64-4_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnutls-2.8.6-i486-4_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnutls-2.8.6-x86_64-4_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnutls-2.10.5-i486-4_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnutls-2.10.5-x86_64-4_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnutls-3.0.32-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnutls-3.0.32-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gnutls-3.1.25-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gnutls-3.1.25-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-3.2.15-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnutls-3.2.15-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n0acf23b4cdae1b1dee923b33e110c790 gnutls-2.8.4-i486-4_slack13.0.txz\n\nSlackware x86_64 13.0 package:\nc371d06f05c831f8fbb5b04d9d1d5464 gnutls-2.8.4-x86_64-4_slack13.0.txz\n\nSlackware 13.1 package:\n328bd02609ac00a98e9d07592c4bae82 gnutls-2.8.6-i486-4_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n8a59e02464b6b414b56b5077dc1f38e1 gnutls-2.8.6-x86_64-4_slack13.1.txz\n\nSlackware 13.37 package:\n8659a0ab255d28a6bc16c4e625c53690 gnutls-2.10.5-i486-4_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n8617b26c38e4501311021a00e4999cb7 gnutls-2.10.5-x86_64-4_slack13.37.txz\n\nSlackware 14.0 package:\n2d8b9a95c97aad5cc84a7b92ccb281c8 gnutls-3.0.32-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nad2d0fca978564aa199588a468bfe160 gnutls-3.0.32-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nabd6c425bc3a12cfad1bce8a586bdc4c gnutls-3.1.25-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n4c28e2ab32e385f9569a4aab54c91db8 gnutls-3.1.25-x86_64-1_slack14.1.txz\n\nSlackware -current package:\ndfc1769af2693d3fa04206afd1993cdb n/gnutls-3.2.15-i486-1.txz\n\nSlackware x86_64 -current package:\n0639e73bef1015eff97c50b95eac84cc n/gnutls-3.2.15-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg gnutls-3.1.25-i486-1_slack14.1.txz", "published": "2014-06-05T22:26:16", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.547936", "cvelist": ["CVE-2014-3466", "CVE-2014-3468", "CVE-2014-3465", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2018-02-02T18:11:28"}, {"id": "SSA-2014-156-02", "type": "slackware", "title": "libtasn1", "description": "New libtasn1 packages are available for Slackware 14.0, 14.1, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/libtasn1-3.6-i486-1_slack14.1.txz: Upgraded.\n Multiple security issues have been corrected in the libtasn1 library.\n These errors allow a remote attacker to cause a denial of service, or\n possibly to execute arbitrary code.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libtasn1-2.14-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libtasn1-2.14-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libtasn1-3.6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libtasn1-3.6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libtasn1-3.6-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libtasn1-3.6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n22d723842f7271921e505614506c25c1 libtasn1-2.14-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n1374d9b06e63dad56865898d6c834493 libtasn1-2.14-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nba845b678c9df080c4ea90350a40b89f libtasn1-3.6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nedf7a2af4e854d123abee95633dbcaf2 libtasn1-3.6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\na15bbcfe1354fe013da59161314eeba4 l/libtasn1-3.6-i486-1.txz\n\nSlackware x86_64 -current package:\nc22b8a7c725552c56f6cd21c697902de l/libtasn1-3.6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg libtasn1-3.6-i486-1_slack14.1.txz", "published": "2014-06-05T22:26:49", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.399939", "cvelist": ["CVE-2014-3468", "CVE-2014-3469", "CVE-2014-3467"], "lastseen": "2018-02-02T18:11:30"}]}}