lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Aug 2009 18:55:26 -0500
From: Jamie Strandboge <>
Subject: [USN-809-1] GnuTLS vulnerabilities

Ubuntu Security Notice USN-809-1            August 19, 2009
gnutls12, gnutls13, gnutls26 vulnerabilities
CVE-2009-2409, CVE-2009-2730,

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libgnutls12                     1.2.9-2ubuntu1.7

Ubuntu 8.04 LTS:
  libgnutls13                     2.0.4-1ubuntu2.6

Ubuntu 8.10:
  libgnutls26                     2.4.1-1ubuntu0.4

Ubuntu 9.04:
  libgnutls26                     2.4.2-6ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.

Dan Kaminsky discovered GnuTLS would still accept certificates with MD2
hash signatures. As a result, an attacker could potentially create a
malicious trusted certificate to impersonate another site. This issue only
affected Ubuntu 6.06 LTS and Ubuntu 8.10. (CVE-2009-2409)

USN-678-1 fixed a vulnerability and USN-678-2 a regression in GnuTLS. The
 upstream patches introduced a regression when validating certain certificate
 chains that would report valid certificates as untrusted. This update
 fixes the problem, and only affected Ubuntu 6.06 LTS and Ubuntu 8.10 (Ubuntu
 8.04 LTS and 9.04 were fixed at an earlier date). In an effort to maintain a
 strong security stance and address all known regressions, this update
 deprecates X.509 validation chains using MD2 and MD5 signatures. To accomodate
 sites which must still use a deprected RSA-MD5 certificate, GnuTLS has been
 updated to stop looking when it has found a trusted intermediary certificate.
 This new handling of intermediary certificates is in accordance with other SSL

Original advisory details:

 Martin von Gagern discovered that GnuTLS did not properly verify
 certificate chains when the last certificate in the chain was self-signed.
 If a remote attacker were able to perform a man-in-the-middle attack, this
 flaw could be exploited to view sensitive information. (CVE-2008-4989)

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   554667 4768cc0dd3cb878c8aa7afee2959ff29
      Size/MD5:      826 1ab9a0c1cd3523315282efcb7293dd75
      Size/MD5:  3305475 4e1a2e9c22c7d6459d5eb5e6484a19c4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   492490 417aa26bf006f9c6e73d4853e1f185c4
      Size/MD5:   421410 902f41030e3b1108215df708f682a1da
      Size/MD5:   289176 b73384d64a3bee761fa1b38367b6999c
      Size/MD5:   644188 fd9c6da745ad172c2f1e0edcfb320769

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   446378 b0b93cf0f032fca74fcece6cf7731429
      Size/MD5:   374228 468b5b516d97d226c6df96131eb33485
      Size/MD5:   272962 1ce7bac47ed06578daeb459d45b18767
      Size/MD5:   579552 94d654d3848c5acbe4a7afbe3d2681ca

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   485514 806fc0074fb1ec88484989f3dce6da08
      Size/MD5:   392194 38ee631771c49b3f1ab47e0faa969222
      Size/MD5:   289456 1c26b2f0e208115b908a5ae7cc5abd71
      Size/MD5:   636918 667523ee75e49f717e4ecb08b3b99754

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   481994 a600a9e9e8468ad44665eb9bf9a4c473
      Size/MD5:   377550 9b35ece6edfe90f6191e18bb8ceb6d5e
      Size/MD5:   274108 8b3e86059633097417f55395324b3355
      Size/MD5:   571492 58af8870aecef6783534609ad95accb7

Updated packages for Ubuntu 8.04 LTS:

  Source archives:
      Size/MD5:    31707 8e5c4a03d06ddb6a6dad9a32737814dc
      Size/MD5:     1082 b4668c2bc960652bc89988a8f7125c6a
      Size/MD5:  5906571 bd783a052b892620534ecfbc4a9bfede

  Architecture independent packages:
      Size/MD5:  2507274 1643f1c93d8b8cc5310116d853e7a556

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   385124 531093a01e45186a704baa11dd93cf15
      Size/MD5:   743652 e49fcdbd9e7f265ee4a332778f8731f3
      Size/MD5:   344854 437916aa40d9b706f931721c4c88f731
      Size/MD5:    30768 a23f85e68c3628243e4f2c7d31c2512a
      Size/MD5:   140238 56a84d95d58846c1624409975d279fbe

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   345776 03ae7bead3c9c14d4dc47ce24b03319c
      Size/MD5:   709966 5275636dc5156d7647e6b6c9f04828d1
      Size/MD5:   307838 63028af698a596108220d25df7841539
      Size/MD5:    31384 d7d636a89925e412a7d6ac6edcd87855
      Size/MD5:   126498 f7f0dd38a5a4d42804ab3aa7c59b5a70

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   336692 bbdd4e1670b604bbb2d34d8960c0d2f8
      Size/MD5:   724500 836998e3eb360bcbd38361aa4004f567
      Size/MD5:   302048 e8a52c895868ef6cc45726ff43bc23bc
      Size/MD5:    30792 c4638255fd9c5b2c50c6fad1c7ff7afc
      Size/MD5:   127136 044da500eb2d345d7b338728602e7ef8

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   383998 3447424db1ce9f028fcec9cbfb463908
      Size/MD5:   736142 7b9aca4c7f4737e335eff74bf12bb554
      Size/MD5:   325900 50bc890b18ccbe235501218c82dd8457
      Size/MD5:    31028 69d1559574debb89411184a64fa1b8aa
      Size/MD5:   159464 d122c1d6d5d9ca2b6ab551e7aa273448

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   371056 b06b1a25e7642ec78454e2e7ac57133c
      Size/MD5:   659954 367c32c1fd12beb9846b6b8c88262ddb
      Size/MD5:   295620 c3a7bfa06cc0c2a86e40befb62588018
      Size/MD5:    29454 a8d29e11ef888434ed363601a780d0a6
      Size/MD5:   129498 231565b3154e43e6b6b1bae53e05bbb4

Updated packages for Ubuntu 8.10:

  Source archives:
      Size/MD5:    19423 b012c9270dbf34ba73cc5261768ea1f4
      Size/MD5:     1665 fc013ee464ee8805adc97eab9a8e9a55
      Size/MD5:  6059231 1eeaf1539ab42cf677df9035ab4b8db5

  Architecture independent packages:
      Size/MD5:  2688708 7902dfa81c389717139bdbe46beae2a9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   450006 4744a1edddd93513ec3a6cd2da7f5ea9
      Size/MD5:  1041708 7ca945c027d15eaceb5814475232d81f
      Size/MD5:   412446 87249f9a4b27273ffc7a342ad671ab9f
      Size/MD5:   144698 4a0b38d61db72a4800736817c8427b9b
      Size/MD5:    77296 70a3233015572f954ff1cf0d50be9e36

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   402408 eb4b0da30605dd69ba4ddf2639f04302
      Size/MD5:   998786 80dd0d5f8ca38c7d0d4d698bdafa11ca
      Size/MD5:   369068 a160d26b5c3c32b8fb2701cab094e6e0
      Size/MD5:   130614 76f366c871f1a3c4721117b93f2b2bf4
      Size/MD5:    71520 c69f3bbb3bd7eb3930b1535dad56f0b2

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   391488 04e2d3028ae086398988a4d99d9a53a5
      Size/MD5:   874982 b46bc24485abbdda0a3661e7400f13dd
      Size/MD5:   361614 31d656e9e029a50e97643e973efdb30f
      Size/MD5:   130282 3276c61532f604e85a8a07336f3b689b

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   440816 a2d45c80fd8f52b064088201f7dbd790
      Size/MD5:  1042268 da18f50823e716773497ba0329ffb565
      Size/MD5:   389332 eac27e6c9d20b7439e1b287a343668d9
      Size/MD5:   160064 975dd7b0bbe1ecea08b58105b5b8ff5f
      Size/MD5:    77538 a84c6537a4f01334967ff195b42f7078

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   420528 811c15108877b91f24e23074c8fbd028
      Size/MD5:   931060 70539c8fc2174101ee9698df3de28ea9
      Size/MD5:   349258 042586c9605cfc90c179794e484bb660
      Size/MD5:   133212 a4ef9ce1a186fdca1db186f2e94ad0cc
      Size/MD5:    69070 22ea6192f3421344a83b33741b28f70c

Updated packages for Ubuntu 9.04:

  Source archives:
      Size/MD5:    22213 16cd7a18ec444ee4b1cb2c4fa181c290
      Size/MD5:     1704 45287164966155b7e31d7ffb581369ee
      Size/MD5:  5984345 8fea7c57f4badcafcd31eb0f981f169a

  Architecture independent packages:
      Size/MD5:  2690312 79c303c3b30595e4a6e5063587b37e18

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   450002 97ff5851fb28fad89565f85b725a7682
      Size/MD5:  1042084 f3b66e3daaf57286d4cd1a67c3f9e074
      Size/MD5:   412806 00b0e0f4c20fff1112c612bfb6ed9042
      Size/MD5:   145008 beb700fcd80e16b2a3d1ddc05b6ef29f
      Size/MD5:    77278 4eead535839d3181256121af0f2ad181

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   402404 e7e036b8e128d4de72ecbe513ee2c7bd
      Size/MD5:   998704 496a2c01c4244e173a16b1e7526dde59
      Size/MD5:   369616 075888a30a325c12c203912995c40823
      Size/MD5:   130922 d728c7ecc14d322b61153fe164846bda
      Size/MD5:    71524 b12716d1a500f793e9c1f8fbc483992e

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   391528 0528cdadeefbba75edcce6e63e6e9d93
      Size/MD5:   875300 8be5e16398da6e8cbac24227c581c124
      Size/MD5:   362212 d1e26131c085f9e212cf4c737ffbc442
      Size/MD5:   130574 716af2377fa3034b5dcfacf9ef751ab4

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   440808 4186982218e239885c9003e7347c2f73
      Size/MD5:  1042024 3162117293da663c134beb69c782ca76
      Size/MD5:   389866 0ced018684aeb1548b2d3633854fb192
      Size/MD5:   160370 d19443b455a4a269fc486cc3ed06f613
      Size/MD5:    77538 c7cdad60919fdddcd667149c522eb6bb

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   420484 9b993e4bf1f08a752e8ccab73f647519
      Size/MD5:   930542 d1a196c6f79f4c3ce3cd5c34c91e7a23
      Size/MD5:   349644 a2281af4ca4803d61d111bbc3615d8e5
      Size/MD5:   133354 6fd94b8f2b05ab7a64f35a890279698a
      Size/MD5:    68998 bf826c0ea31d1f9a1ca930e0853b9cd1

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists