lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87ej7xue22.fsf@mid.deneb.enyo.de>
Date: Tue, 20 May 2008 18:37:41 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1581-1] New gnutls13 packages fix potential code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1581-1                  security@...ian.org
http://www.debian.org/security/                           Florian Weimer
May 20, 2008                          http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : gnutls13
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1948, CVE-2008-1949, CVE-2008-1950

Several remote vulnerabilities have been discovered in GNUTLS, an
implementation of the SSL/TLS protocol suite.

NOTE: The libgnutls13 package, which provides the GNUTLS library, does
not contain logic to automatically restart potentially affected
services.  You must restart affected services manually (mainly Exim,
using "/etc/init.d/exim4 restart") after applying the update, to make
the changes fully effective.  Alternatively, you can reboot the system.

The following vulnerabilities have been identified:

A pre-authentication heap overflow involving oversized session
resumption data may lead to arbitrary code execution (CVE-2008-1948).

Repeated client hellos may result in a pre-authentication denial of
service condition due to a null pointer dereference (CVE-2008-1949).

Decoding cipher padding with an invalid record length may cause GNUTLS
to read memory beyond the end of the received record, leading to a
pre-authentication denial of service condition (CVE-2008-1950).

For the stable distribution (etch), these problems have been fixed in
version 1.4.4-3+etch1.  (Builds for the arm architecture are currently
not available and will be released later.)

For the unstable distribution (sid), these problems will be fixed soon. 

We recommend that you upgrade your GNUTLS packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch1.diff.gz
    Size/MD5 checksum:    19173 12dfc774f73fbfff5a9853255eb4044e
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4.orig.tar.gz
    Size/MD5 checksum:  4752009 c06ada020e2b69caa51833175d59f8b2
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch1.dsc
    Size/MD5 checksum:     1251 f3b7538539a9a255eac70d8ed816e2d2

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch1_all.deb
    Size/MD5 checksum:  2305156 92f5504bb67e96400b279148ff36954a

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   327962 019adc4281f16b70ee32b6fb098b6db4
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   547270 baf92f790799abc128bb9efed980b53d
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   523926 fadab0e3396daaa51e25aaf764ebff32
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   196278 2435a7c5406d9e2ea0b75ab7c06f9ee9

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   182806 c6be7ccc98eed7ed736e62494b816698
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   538864 a044b7f079d9e26263e019cc097961d2
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   314566 339849e531211778332d01e39e806b37
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   389130 830c1b21cdfd37cb104c8f5638e8ecd2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:   521698 24bc2603d20bd09f1b50dbc284d7c002
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:   183890 0f5af046360a12c7974af8b8f47c12ca
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:   312458 bc455a6e70342a891e3e50928df33627
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:   434892 d6e3aca67b9e59bb3689fda6a479d1d3

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   358100 a1417f99c68ccfe7fe3baaf5b0a82fc4
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   281748 1b968342495c6fd9e35974fe7794c66a
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   524782 4af9debc5ebb2f0afbb552599b04a1ea
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   172744 1fc64ca700778b7c076fe18078898293

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:   550132 6cdee2122fcabf7538cbb8a5f8a46dc8
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:   527970 f79a04ada0467a5e2ad881486f180524
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:   394710 f3539e1074b5fdf7b4e05a5ae18910d6
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:   229100 a5b608a5d0b08366d46a7e7b378cb76f

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   552510 4d33587b3d164660b88e1a0aece6de07
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   417916 e7b68ae5b9a26748f7ee5c608c6871ad
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   277948 b4aa68014ab9005a66dc04b8424fe941
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   181700 810ae6a3d92eb7609a0cfd32db043433

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   541700 657c1167d217eb639cf3655b486fcc62
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   417032 f3beae1dd61de2e3fac5d292fcb1c377
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   277698 48986a326282563af743147dc76f0fd5
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   182654 e86e98f4fbd9659b1b7da3f5ac3ca442

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   184542 dfed7b8ae7a888d65d82e28f4a15d0bd
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   288842 38db064a06a7b073e456425f74392a51
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   538618 9cfd7c7cdf36aea9c445e237156a8898
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   388748 50dd9f5a82dca333bdbd282992488eab

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   537378 b60c8caef47fa70cc68399db3b1bde5a
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   311484 363d2d588467086e7fe144acbd420e56
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   184454 837c2b3b9e82118952a8051d4d52c5ee
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   380122 6345f76b43ce87b7419d5f519bb5ab98

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch1_sparc.deb
    Size/MD5 checksum:   491030 26a5ca2cb1de39a51c22e90d3894ee87
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch1_sparc.deb
    Size/MD5 checksum:   271018 4fc9a17eb374885cf809575bcecbe8a9
  http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch1_sparc.deb
    Size/MD5 checksum:   169546 a717fb3d1c0cf0b28069693d6da91495
  http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch1_sparc.deb
    Size/MD5 checksum:   378820 7d307f07e38974f276b189eb90599161


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSDL92r97/wQC1SS+AQJPQwf9HgsYEDMQvrosWa97f3yxaXsylNaAAxtn
VoLpWWFKwNoIC/0VrnoWA9gMmNxR+nW8SQ8syadJt7ETAaN1/hiN5BN4ZtuDeU1e
db5MQVcAKJtq0qqsPWCV8G3NKKopIhEsUKHDV0RMlNF9vN0Jps3SYYPw9UzGtymS
25Lg6mr/wCVEPsuBVL4fZwSWkGp7kX4GW6kFpqXF5mi0QoaJJpH1wkzvzYWFGw0A
E08LVyDIsPnm2+o9MOEQveJjwQfI5ykE/dnakMEMET9Q+te5HauQXlq9mY54+HC2
m+xTfZGEUHpV4rkckNGgNul9CibhD0ys5U6dh9wFGsaTpLUUNMTnvQ==
=ONq2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ