요약

Critical: gnutls security update

유형/심각도

Security Advisory: Critical

주제

Updated gnutls packages that fix several security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

설명

The GnuTLS Library provides support for cryptographic algorithms and
protocols such as TLS. GnuTLS includes libtasn1, a library developed for
ASN.1 structures management that includes DER encoding and decoding.

Flaws were found in the way GnuTLS handles malicious client connections. A
malicious remote client could send a specially crafted request to a service
using GnuTLS that could cause the service to crash. (CVE-2008-1948,
CVE-2008-1949, CVE-2008-1950)

We believe it is possible to leverage the flaw CVE-2008-1948 to execute
arbitrary code but have been unable to prove this at the time of releasing
this advisory. Red Hat Enterprise Linux 5 includes applications, such as
CUPS, that would be directly vulnerable to any such an exploit, however.
Consequently, we have assigned it critical severity.

Users of GnuTLS are advised to upgrade to these updated packages, which
contain a backported patch that corrects these issues.

솔루션

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

영향을 받는 제품

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Server - Extended Update Support 5.1 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 5.1 ia64
• Red Hat Enterprise Linux Server - Extended Update Support 5.1 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.1 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.1 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

수정

• BZ - 447461 - CVE-2008-1948 GNUTLS-SA-2008-1-1 GnuTLS buffer overflow
• BZ - 447462 - CVE-2008-1949 GNUTLS-SA-2008-1-2 GnuTLS null-pointer dereference
• BZ - 447463 - CVE-2008-1950 GNUTLS-SA-2008-1-3 GnuTLS memory overread flaw

CVE

• CVE-2008-1949
• CVE-2008-1948
• CVE-2008-1950

참조

• http://www.redhat.com/security/updates/classification/#critical

Red Hat Enterprise Linux Server 5

SRPM
x86_64
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892
gnutls-devel-1.4.1-3.el5_1.x86_64.rpm	SHA-256: 396306ff470b16c86fffa8fe7821550bd626172229e70b407573cb1b0a2e29ea
i386
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892

Red Hat Enterprise Linux Workstation 5

SRPM
x86_64
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892
gnutls-devel-1.4.1-3.el5_1.x86_64.rpm	SHA-256: 396306ff470b16c86fffa8fe7821550bd626172229e70b407573cb1b0a2e29ea
i386
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892

Red Hat Enterprise Linux Server from RHUI 5

SRPM
x86_64
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892
gnutls-devel-1.4.1-3.el5_1.x86_64.rpm	SHA-256: 396306ff470b16c86fffa8fe7821550bd626172229e70b407573cb1b0a2e29ea
i386
gnutls-devel-1.4.1-3.el5_1.i386.rpm	SHA-256: cc0eaef4c01e68800532d08ccfc8f6c0e91d83765588757aec273e6fb5829892