[security-announce] GnuTLS Security Advisory

Sona Sarmadi sona.sarmadi at enea.com
Mon Oct 20 18:48:18 CEST 2014


===================================================================
		Enea Security Advisory
Product: GnuTLS
Severity: Critical
Issue date: 2014-10-20
CVE Name: CVE-2014-3566, SSLv3 POODLE vulnerability
=================================================================== 

Description
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. This vulnerability can be exploited when TLS clients use a non-standard insecure protocol negotiation (it mostly affects browsers).

Solution/workaround
GnuTLS Clients should perform the standard TLS handshake as documented by GnuTLS to avoid this vulnerability.


References
==========
http://www.gnutls.org/security.html#GNUTLS-SA-2014-4

Contact info
=========
If you have any questions regarding the security patches and security updates please contact sona.sarmadi at enea.com or security at enea.com. 


Sona Sarmadi
-----------------
ESRT (Enea Security Response Team)
Software Engineer/Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071  4475
Mobile: +46 70 971 4475
sona.sarmadi at enea.com
www.enea.com 

This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.




More information about the security-announce mailing list