Is there a fix for GnuTLS GNUTLS-SA-2014-2 and CVE-2014-0092?

Solution Verified - Updated -

Issue

A member of the Red Hat Security Technologies Team, Nikos Mavrogiannopoulos, discovered an issue with the GnuTLS library in which it did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.

Red Hat quickly resolved the bug and published the advisory CVE-2014-0092. This was also reported to the upstream GnuTLS community which has published advisory GNUTLS-SA-2014-2.

Environment

  • Red Hat Enterprise Linux (RHEL) 4
  • Red Hat Enterprise Linux (RHEL) 5
  • Red Hat Enterprise Linux (RHEL) 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content