[security-announce] GnuTLS: Security update

Sona Sarmadi sona.sarmadi at enea.com
Mon Apr 20 13:54:44 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: GnuTLS: 2.12
Severity: Important
CVE Name: CVE-2014-3466 insufficient session id length check in
_gnutls_read_server_hello (GNUTLS-SA-2014-3)
=========================================================
This security patch fixes insufficient session id length check in
_gnutls_read_server_hello.

README file: 0062-gnutls-CVE-2014-3466.README
Patch file: 0062-gnutls-CVE-2014-3466.patch
Signed patch: 0062-gnutls-CVE-2014-3466.patch.asc
sha1sum: 0062-gnutls-CVE-2014-3466.patch.sha1

Description
===========
Buffer overflow in the read_server_hello function in
lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15,
and 3.3.x before 3.3.4 allows remote servers to cause a denial of
service (memory corruption) or possibly execute arbitrary code via
a long session id in a ServerHello message.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget https://linux.enea.com/4.0/patches/0062-gnutls-CVE-2014-3466.patch
patch -p1 < ./0062-gnutls-CVE-2014-3466.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVNOkDAAoJEHc+9u9ocWoUqxsP/RSoKgc+xl2xtzKitUFls3WS
inKecZMsxaplCASkcKhvkFjU/fe5Ub+1wStTN3uJCYLUSP3BSfQ82SMn8KQoha4K
DewM0xeG4OUja8zEWmliyTvCBVhQuGtggSFT8iPhreJpljgaLILlNaSifB+jQewu
J24AMW9+xAD/A1S80JwZDfRFwTtG9tl4BOqk5OYJSbJt1s5fB//mvQx4/PCRH+ED
dldi6riyh0L85SH2S6UGpi35qx87w7W2WUSGOm0bWqIfHbquXE0ACCc8/nY6UAtP
G6vZinu48qmhB6ftmxX+ZeCx9EnHPhcAKFtactcdUHjzGlHGGpDQpE5z+ewYNEjk
ZtjLYfQiAjUg61Pjf/KTmaqQ2MVK+p9LMKk04sYanJA/tYloiKtGNKhzneaYhB+e
ZhJGOhnAHfYNdAmpIGKMjg9RIT5OT2bDfiEwEHsAMrrgp98xPdkNF4wcGD0E9xR4
DlFiX456SyH54aQw9c6cq9Mh7QlQj/NyGZwoxUOotVpskTyTRDQnCwx2b2M55ZLa
YN7/JQwe8/uWR9+ijT/C+VMgpwOgc0kEgYx5mW/yM23QbErk74gbA6l68Ubj4/6E
pMPZ1I3pmHF3Jcs+FUQfT8vBehqRK0oxzPSpGzDvZVYXlz3xPLfQD69TBu+ZW3Ib
ntZD8XCaB6xcxmd474dR
=3OGh
-----END PGP SIGNATURE-----


More information about the security-announce mailing list