[security-announce] gnutls: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Sep 3 13:54:53 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory
=========================================================
Product/package: gnutls 3.3.5
Severity: Mderate
CVE Name: CVE-2015-3308
=========================================================
This security update fixes use-after-free flaw in
CRL distribution points parsing.

Signed patch and README files
================================
0031-gnutls-CVE-2015-3308.patch
0031-gnutls-CVE-2015-3308.patch.sig
0031-gnutls-CVE-2015-3308.README.asc

Description
===========
A use-after-free flaw was found in the way GnuTLS parsed
CRL distribution points.
A specially crafted certificate could cause an application
using GnuTLS to crash.

References
===========
https://gitlab.com/gnutls/gnutls/commit/
d6972be33264ecc49a86cd0958209cd7363af1e9

https://gitlab.com/gnutls/gnutls/commit/
053ae65403216acdb0a4e78b25ad66ee9f444f02

https://bugzilla.redhat.com/show_bug.cgi?id=1212459
http://www.openwall.com/lists/oss-security/2015/04/15/6

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0031-gnutls-CVE-2015-3308.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0031-gnutls-CVE-2015-3308.patch.sig
gpg --verify 0031-gnutls-CVE-2015-3308.patch.sig
patch -p1 < ./0031-gnutls-CVE-2015-3308.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV6DUNAAoJEHc+9u9ocWoUlkQP/i+Nuz1R8NPIXOUQmxu51wpi
tweDDGi1nVXrj8qHGxwgKBehIP/q+EDMDUQ2LKDG+WQh654Cy2uhReQljjnyHbPN
oKisENhdSH+JAts91veZzR9vQHOn2aooJJyvjMgyqyAK2E24osBObylEVVoABQL+
PkwIz89Pw7GjNBUFS6aq5HYYXN1Vl6/SiH2sfeyUHrbvn66o0ujJiBh60t8Joir2
zOal216/sgs1H60gAjvNHb/LWo1fXEKYflZ9J1BA7UEgN42s4hMDbZreMjRFwWql
pvyy/ySD5TGIOV0Bc36XmoODjxTPL1qs/J8s7H8gWT8FYU4s7iHgFZPcCKJjGLxC
sju1/79ASeUDPAUtksO84lmcImRFd5tHUxTWfhSWK+kaZS1HVeOfHTCD4Vh5o280
jpCb0UoOnj0csMyb+HPwg9NZIc28UGoM1KqUGbN/5mEUHACNJ/PqOZzSX595eBYm
HquA757kzKjG80ZgP+XY5wZgv/xsd7BnBSc1ciF1bh1aSC2aY6Ebf8fqUYpcafT5
OA3dqtle5gziD3nylhEMxy9fIX/3Rbkfebp/B1sKuGOS0rQTkoUQOJ/klUJfQU7R
pPP4qtW76jV/W6YdtKlcDfzpZ18JFDzB0Yr/Kv9PPB0X+T51Xxx70qloxDLLElCm
FW3KulYeGX8CmbH73Kvq
=EUSn
-----END PGP SIGNATURE-----



More information about the security-announce mailing list