| Description: | Summary:
The remote host is missing an update for the 'gnutls' package(s) announced via the SUSE-SU-2014:0322-1 advisory.
Vulnerability Insight:
The GnuTLS library received a critical security fix and other updates:
* CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid.
* CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled.
* CVE-2013-2116: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS allowed remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length.
* CVE-2013-1619: Timing attacks against hashing of padding was fixed which might have allowed disclosure of keys. (Lucky13 attack).
Also the following non-security bugs have been fixed:
* gnutls doesn't like root CAs without Basic Constraints. Permit V1 Certificate Authorities properly
(bnc#760265)
* memory leak in PSK authentication (bnc#835760)
Security Issue references:
* CVE-2014-0092
>
* CVE-2009-5138
>
* CVE-2013-2116
>
* CVE-2013-1619
>
Affected Software/OS:
'gnutls' package(s) on SUSE Linux Enterprise Server 11-SP1.
Solution:
Please install the updated package(s).
CVSS Score:
5.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
