Test ID:	1.3.6.1.4.1.25623.1.0.61861
Category:	Slackware Local Security Checks
Title:	Slackware: Security Advisory (SSA:2008-315-01)
Summary:	The remote host is missing an update for the 'gnutls' package(s) announced via the SSA:2008-315-01 advisory.
Description:	Summary: The remote host is missing an update for the 'gnutls' package(s) announced via the SSA:2008-315-01 advisory. Vulnerability Insight: New gnutls packages are available for Slackware 12.0, 12.1, and -current to fix a security issue. NOTE: The package for 12.0 has a different shared library soname, and the packages for 12.1 and -current have an API/ABI change. Only the Pidgin package in Slackware links with GnuTLS, and upgraded Pidgin packages have also been made available. However, if the updated GnuTLS package is installed any other custom-compiled software that uses GnuTLS may need to be recompiled. More details about this issue will become available in the Common Vulnerabilities and Exposures (CVE) database: [link moved to references] Here are the details from the Slackware 12.1 ChangeLog: +--------------------------+ patches/packages/gnutls-2.6.1-i486-1_slack12.1.tgz: Upgraded to gnutls-2.6.1. From the gnutls-2.6.1 NEWS file: ** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3] The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern . [CVE-2008-4989] For more information, see: [link moved to references] IMPORTANT NOTE: This update modifies the API and ABI for the gnutls_pk_params_st function. Any software that uses the function will need to be recompiled. (* Security fix *) +--------------------------+ Affected Software/OS: 'gnutls' package(s) on Slackware 12.0, Slackware 12.1, Slackware current. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-4989 BugTraq ID: 32232 http://www.securityfocus.com/bid/32232 Bugtraq: 20081117 rPSA-2008-0322-1 gnutls (Google Search) http://www.securityfocus.com/archive/1/498431/100/0/threaded Debian Security Information: DSA-1719 (Google Search) http://www.debian.org/security/2009/dsa-1719 https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html http://security.gentoo.org/glsa/glsa-200901-10.xml http://www.mandriva.com/security/advisories?name=MDVSA-2008:227 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650 http://www.redhat.com/support/errata/RHSA-2008-0982.html http://www.securitytracker.com/id?1021167 http://secunia.com/advisories/32619 http://secunia.com/advisories/32681 http://secunia.com/advisories/32687 http://secunia.com/advisories/32879 http://secunia.com/advisories/33501 http://secunia.com/advisories/33694 http://secunia.com/advisories/35423 http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1 SuSE Security Announcement: SUSE-SR:2008:027 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html SuSE Security Announcement: SUSE-SR:2009:009 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html https://usn.ubuntu.com/678-1/ http://www.ubuntu.com/usn/usn-678-2 http://www.vupen.com/english/advisories/2008/3086 http://www.vupen.com/english/advisories/2009/1567 XForce ISS Database: gnutls-x509-name-spoofing(46482) https://exchange.xforce.ibmcloud.com/vulnerabilities/46482
Copyright	Copyright (C) 2012 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.