Is there a fix for GnuTLS GNUTLS-SA-2014-2 and CVE-2014-0092?
Issue
- Is there a fix for GnuTLS GNUTLS-SA-2014-2 and CVE-2014-0092?
- Is RHEL affected by GnuTLS GNUTLS-SA-2014-2 and CVE-2014-0092?
A member of the Red Hat Security Technologies Team, Nikos Mavrogiannopoulos, discovered an issue with the GnuTLS library in which it did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.
Red Hat quickly resolved the bug and published the advisory CVE-2014-0092. This was also reported to the upstream GnuTLS community which has published advisory GNUTLS-SA-2014-2.
Environment
- Red Hat Enterprise Linux (RHEL) 4
- Red Hat Enterprise Linux (RHEL) 5
- Red Hat Enterprise Linux (RHEL) 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.