[security-announce] gnutls: Security update (Enea Linux 4.0)

Sona Sarmadi sona.sarmadi at enea.com
Tue Sep 8 08:17:35 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

=========================================================
Product/package: gnutls 2.12
Severity: Moderate
CVE Name: CVE-2015-0282
=========================================================
This security patch fixes RSA PKCS#1 signature verification
forgery.
An attacker could create a certificate that used a different
hashing algorithm than it claimed, possibly causing GnuTLS
to use an insecure, disallowed hashing algorithm during
certificate verification.

Signed patch and README files
================================
0098-gnutls-CVE-2015-0282.patch
0098-gnutls-CVE-2015-0282.patch.sig
0098-gnutls-CVE-2015-0282.READMAE.asc

Description
===========
GnuTLS before 3.1.0 does not verify that the RSA PKCS #1
signature algorithm matches the signature algorithm in the
certificate, which allows remote attackers to conduct
downgrade attacks via unspecified vectors.

Reference
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0282
https://bugzilla.redhat.com/show_bug.cgi?id=1194371

How to apply the patches
=======================
Make sure that you have an installation of Enea Linux and
have applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/4.0/patches/0098-gnutls-CVE-2015-0282.patch
wget https://linux.enea.com/4.0/patches/\
0098-gnutls-CVE-2015-0282.patch.sig
gpg --verify 0098-gnutls-CVE-2015-0282.patch.sig
patch -p1 < ./0098-gnutls-CVE-2015-0282.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV7n1/AAoJEHc+9u9ocWoU8fwP/3eN0EYjXjNf1kZe40BwxMuY
nGGiz4ce/KRWLVZ4vLCJ0y0ezaHOUOC/zM0//trA5LDu3jTc6dqQxU5hQDu+lDio
L8LI8FfRTP8grU4lHJmCVWNBUf4n1FQLqxuN+/oEgyMS8R+YtDc4Un3jlSp8K5MP
zWm0kWGlYlokXYDJ1YpL2JaODUBTkbW876qLwSgU4wRzt/CIgMfc1070iYM3nGs7
jk0/hUmALkp+3lK4896aOJkvTNETux0e3lOFfL6I5JP0BUz2269ebvQLDHMD/Hip
XjHt9NKPXcpRkdtDzGBYCJS05hpECA4N5FciLBWgVUihshen94B/k3VIV8XhTJ1m
2xoxC85qQufn2TYqF0FP21JbQ/LSX/5Y5fNNSIg6Ju4wy6++UU6bqBL/METbMhpc
98dUDHsUvkFRBPva95BQxdQyEXQ/8CXbLbfMORO1DEX3S6i0bfAxA5M5v2CsDndj
JfCBLpbdoLe7eRDQoPVyDdqC8hslPeK7+DaUDRTmpVTWV3Phvc8IjjvRpBah4XkL
ZR8T+Sgi36MqebC+KE7enu7L20vlQxHaxu+TKqGtsaTe71hjBqI2abDEbEDSetrg
gvIxzafWhb9kBqN3B2TPANgP/WjodwhGwpCqpoi17d9cpkvCVNEOemvGw+Y+e6A7
AfqUGAbWr/2S6HoYJIWy
=HL5G
-----END PGP SIGNATURE-----



More information about the security-announce mailing list