lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050513094650.GK8016@piware.de>
Date: Fri, 13 May 2005 11:46:50 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-126-1] GNU TLS library vulnerability

===========================================================
Ubuntu Security Notice USN-126-1	       May 13, 2005
gnutls11, gnutls10 vulnerability
CAN-2005-1431
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libgnutls10
libgnutls11
libgnutls11-dbg

The problem can be corrected by upgrading the affected package to
version 1.0.4-3ubuntu1.1 (for Ubuntu 4.10), or 1.0.16-13ubuntu0.1 (for
Ubuntu 5.04).  For most desktop applications, a standard system
upgrade is sufficient to effect the necessary changes. However, if you
are using server and long running applications that use libgnutls
(cupsys, exim4, Gaim), you must restart them manually. If you can
afford to reboot your machine, this is the easiest way to ensure that
all services using this library are restarted correctly.

Details follow:

A Denial of Service vulnerability was discovered in the GNU TLS
library, which provides common cryptographic algorithms and is used by
many applications in Ubuntu. Due to a missing sanity check of the
padding length field, specially crafted ciphertext blocks caused an
out of bounds memory access which could crash the application. It was
not possible to exploit this to execute any attacker specified code.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4-3ubuntu1.1.diff.gz
      Size/MD5:    49877 a421703ee46eaba0ac70a6d892069139
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4-3ubuntu1.1.dsc
      Size/MD5:      863 831a452e9369be66097d520579a66354
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4.orig.tar.gz
      Size/MD5:  1378290 565d2835b772008689476488265f4e99

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls-doc_1.0.4-3ubuntu1.1_all.deb
      Size/MD5:   553460 77af9be62e963e2771ff3ce9259dd086

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   193656 11b33a8fff25292ac2ae1b680de3c006
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   367136 a5a4b023309977a4ac05abaf400ef65a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   309288 9030fd065858abe487993fff229d9c61

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   185176 6e27b1181c07ec15991bf30b227d559f
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   328650 9a3ef7584be77d7d6dbd136032f55e89
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   279368 3f8c3b8ed3b96649c2a973846bc824f0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   195926 f0f90f8b4c004a70019a7188c78a2ffc
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   396076 88fba2e88301873bb674e34a398a1af4
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   284662 71c918cd7d3b1e445ac43be2705c1723

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16-13ubuntu0.1.diff.gz
      Size/MD5:   337831 08f61cd8a964751d06c208237985ac7b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16-13ubuntu0.1.dsc
      Size/MD5:      814 40bd2f5530ed7d27f5f6c8dcce325a4a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16.orig.tar.gz
      Size/MD5:  1504638 7b410fa3c563c7988e434a8c8671b3cd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   217154 74e29f9aa85a515c7cf387a9a77ad901
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   574984 9a68ba7e194b594265e48c81cea0c5d6
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   392034 bbbe41cdaac3a4402124be97b0b905f5
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   326610 4b973b460ab26e7c61fe66c99e745c37

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   203144 9997faa5bbfc8f2181856ad51d4fb82a
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   554796 e0730689824c59ccdc5285c1ec801043
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   356846 fb313893aa729272b5e12a8c9b0da5db
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   293072 aa53297d5112cb6d40805256b1427384

  ia64 architecture (Intel Itanium)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   258640 5eb86c32dbc2181ba54f2522e6fa2f5b
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   585292 db08a7b1ac9e5b9e1ab2bf964d18162c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   521564 827ea4039e5b2b1e06e0c4c27ff7bc16
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   384526 45bd4f99407f7cae773b4c7302927df4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   218072 6c76d07dc561da7a749a3bf72a4f14a3
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:  1417598 470ec82e16a7937bf2cb66586181cae0
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   388428 0f628a18a2f3c4b01bc7ac1da8e9fd5e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   299128 8810c5d0fe0c2b3780f2ce9d0a1058e1


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ