ID CVE-2014-0092
Summary lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
References
Vulnerable Configurations
  • GNU GnuTLS 3.2.7
    cpe:2.3:a:gnu:gnutls:3.2.7
  • GNU GnuTLS 3.2.8
    cpe:2.3:a:gnu:gnutls:3.2.8
  • GNU GnuTLS 3.2.8.1
    cpe:2.3:a:gnu:gnutls:3.2.8.1
  • GNU GnuTLS 3.2.9
    cpe:2.3:a:gnu:gnutls:3.2.9
  • GNU GnuTLS 3.2.10
    cpe:2.3:a:gnu:gnutls:3.2.10
  • GNU GnuTLS 3.2.11
    cpe:2.3:a:gnu:gnutls:3.2.11
  • GNU GnuTLS 3.2.0
    cpe:2.3:a:gnu:gnutls:3.2.0
  • GNU GnuTLS 3.2.1
    cpe:2.3:a:gnu:gnutls:3.2.1
  • GNU GnuTLS 3.2.2
    cpe:2.3:a:gnu:gnutls:3.2.2
  • GNU GnuTLS 3.2.3
    cpe:2.3:a:gnu:gnutls:3.2.3
  • GNU GnuTLS 3.2.4
    cpe:2.3:a:gnu:gnutls:3.2.4
  • GNU GnuTLS 3.2.5
    cpe:2.3:a:gnu:gnutls:3.2.5
  • GNU GnuTLS 3.2.6
    cpe:2.3:a:gnu:gnutls:3.2.6
  • GNU GnuTLS 3.1.0
    cpe:2.3:a:gnu:gnutls:3.1.0
  • GNU GnuTLS 3.1.1
    cpe:2.3:a:gnu:gnutls:3.1.1
  • GNU GnuTLS 3.1.10
    cpe:2.3:a:gnu:gnutls:3.1.10
  • GNU GnuTLS 3.1.11
    cpe:2.3:a:gnu:gnutls:3.1.11
  • GNU GnuTLS 3.1.12
    cpe:2.3:a:gnu:gnutls:3.1.12
  • GNU GnuTLS 3.1.13
    cpe:2.3:a:gnu:gnutls:3.1.13
  • GNU GnuTLS 3.1.14
    cpe:2.3:a:gnu:gnutls:3.1.14
  • GNU GnuTLS 3.1.15
    cpe:2.3:a:gnu:gnutls:3.1.15
  • GNU GnuTLS 3.1.16
    cpe:2.3:a:gnu:gnutls:3.1.16
  • GNU GnuTLS 3.1.2
    cpe:2.3:a:gnu:gnutls:3.1.2
  • GNU GnuTLS 3.1.3
    cpe:2.3:a:gnu:gnutls:3.1.3
  • GNU GnuTLS 3.1.4
    cpe:2.3:a:gnu:gnutls:3.1.4
  • GNU GnuTLS 3.1.5
    cpe:2.3:a:gnu:gnutls:3.1.5
  • GNU GnuTLS 3.1.6
    cpe:2.3:a:gnu:gnutls:3.1.6
  • GNU GnuTLS 3.1.7
    cpe:2.3:a:gnu:gnutls:3.1.7
  • GNU GnuTLS 3.1.8
    cpe:2.3:a:gnu:gnutls:3.1.8
  • GNU GnuTLS 3.1.9
    cpe:2.3:a:gnu:gnutls:3.1.9
  • GNU GnuTLS 3.1.21
    cpe:2.3:a:gnu:gnutls:3.1.21
  • GNU GnuTLS 3.1.20
    cpe:2.3:a:gnu:gnutls:3.1.20
  • GNU GnuTLS 3.1.19
    cpe:2.3:a:gnu:gnutls:3.1.19
  • GNU GnuTLS 3.1.18
    cpe:2.3:a:gnu:gnutls:3.1.18
  • GNU GnuTLS 3.1.17
    cpe:2.3:a:gnu:gnutls:3.1.17
CVSS
Base: 5.8 (as of 07-03-2014 - 07:10)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0101.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix CVE-2015-0282 (#1198159) - fix CVE-2015-0294 (#1198159) - Corrected value initialization in mpi printing (#1129241) - Check for expiry information in the CA certificates (#1159778) - fix issue with integer padding in certificates and keys (#1036385) - fix session ID length check (#1102025) - fix CVE-2014-0092 (#1069891) - fix CVE-2013-2116 - fix DoS regression in (CVE-2013-1619) upstream patch (#966754) - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85142
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85142
    title OracleVM 3.3 : gnutls (OVMSA-2015-0101)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_GNUTLS-140227.NASL
    description The GnuTLS library received a critical security fix and other updates : - The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. (CVE-2014-0092) - A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Additionally a memory leak in PSK authentication has been fixed. (bnc#835760). (CVE-2009-5138)
    last seen 2019-02-21
    modified 2014-03-10
    plugin id 72797
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72797
    title SuSE 11.3 Security Update : gnutls (SAT Patch Number 8949)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140303_GNUTLS_ON_SL5_X.NASL
    description It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 72795
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72795
    title Scientific Linux Security Update : gnutls on SL5.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F645AA90A3E811E3A4223C970E169BC2.NASL
    description GnuTLS project reports : A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat. Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior).
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 72808
    published 2014-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72808
    title FreeBSD : gnutls -- multiple certificate verification issues (f645aa90-a3e8-11e3-a422-3c970e169bc2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0321-1.NASL
    description The GnuTLS library received a critical security fix and other updates : - CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. - CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83612
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83612
    title SUSE SLES10 Security Update : gnutls (SUSE-SU-2014:0321-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-301.NASL
    description It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 72949
    published 2014-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72949
    title Amazon Linux AMI : gnutls (ALAS-2014-301)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0247.NASL
    description Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72794
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72794
    title RHEL 5 : gnutls (RHSA-2014:0247)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-181.NASL
    description The gnutls library was updated to fixed x509 certificate validation problems, where man-in-the-middle attackers could hijack SSL connections. This update also reenables Elliptic Curve support to meet current day cryptographic requirements.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 75274
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75274
    title openSUSE Security Update : gnutls (openSUSE-SU-2014:0325-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-183.NASL
    description The gnutls library was updated to fix SSL certificate validation. Remote man-in-the-middle attackers were able to make the verification believe that a SSL certificate is valid even though it was not.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75276
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75276
    title openSUSE Security Update : gnutls (openSUSE-SU-2014:0328-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2869.NASL
    description Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported sucessfully even in cases were an error would prevent all verification steps to be performed. An attacker doing a man-in-the-middle of a TLS connection could use this vulnerability to present a carefully crafted certificate that would be accepted by GnuTLS as valid even if not signed by one of the trusted authorities.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72782
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72782
    title Debian DSA-2869-1 : gnutls26 - incorrect certificate verification
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0246.NASL
    description Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72803
    published 2014-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72803
    title CentOS 6 : gnutls (CESA-2014:0246)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_GNUTLS_20140915.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. (CVE-2014-0092)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80631
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80631
    title Oracle Solaris Third-Party Patch Update : gnutls (cve_2014_0092_cryptographic_issues)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-062-01.NASL
    description New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 72781
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72781
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-062-01)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0247.NASL
    description Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72804
    published 2014-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72804
    title CentOS 5 : gnutls (CESA-2014:0247)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0246.NASL
    description From Red Hat Security Advisory 2014:0246 : Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 72791
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72791
    title Oracle Linux 6 : gnutls (ELSA-2014-0246)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0247.NASL
    description From Red Hat Security Advisory 2014:0247 : Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 72792
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72792
    title Oracle Linux 5 : gnutls (ELSA-2014-0247)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-048.NASL
    description Updated gnutls packages fix security vulnerability : It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 72919
    published 2014-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72919
    title Mandriva Linux Security Advisory : gnutls (MDVSA-2014:048)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140303_GNUTLS_ON_SL6_X.NASL
    description It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 72796
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72796
    title Scientific Linux Security Update : gnutls on SL6.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-3363.NASL
    description fixes CVE-2014-0092 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 72868
    published 2014-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72868
    title Fedora 19 : gnutls-3.1.20-4.fc19 (2014-3363)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-072.NASL
    description Updated gnutls packages fix security vulnerabilities : Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior) (CVE-2014-1959). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092). A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application (CVE-2014-8564).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82325
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82325
    title Mandriva Linux Security Advisory : gnutls (MDVSA-2015:072)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-09 (GnuTLS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GnuTLS. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could utilize multiple vectors to spoof arbitrary SSL servers via a crafted certificate, execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 76061
    published 2014-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76061
    title GLSA-201406-09 : GnuTLS: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-3454.NASL
    description Version 3.1.22 (released 2014-03-03) - libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) - libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. - libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. - libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. - libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 73036
    published 2014-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73036
    title Fedora 20 : mingw-gnutls-3.1.22-1.fc20 (2014-3454)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0288.NASL
    description Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.3, 5.6 and 6.2 Long Life, and Red Hat Enterprise Linux 5.9, 6.3 and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 79001
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79001
    title RHEL 4 / 5 / 6 : gnutls (RHSA-2014:0288)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2127-1.NASL
    description Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled certificate verification functions. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited with specially crafted certificates to view sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72812
    published 2014-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72812
    title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : gnutls26 vulnerability (USN-2127-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-3413.NASL
    description Added fix for CVE-2014-0092 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 72869
    published 2014-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72869
    title Fedora 20 : gnutls-3.1.20-4.fc20 (2014-3413)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0246.NASL
    description Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72793
    published 2014-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72793
    title RHEL 6 : gnutls (RHSA-2014:0246)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-3493.NASL
    description Version 3.1.22 (released 2014-03-03) - libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) - libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. - libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. - libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. - libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 73038
    published 2014-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73038
    title Fedora 19 : mingw-gnutls-3.1.22-1.fc19 (2014-3493)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0339.NASL
    description An updated rhev-hypervisor6 package that fixes multiple security issues is now available. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055) A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2014-0101, and CVE-2014-0069 (kernel issues) CVE-2010-2596, CVE-2013-1960, CVE-2013-1961, CVE-2013-4231, CVE-2013-4232, CVE-2013-4243, and CVE-2013-4244 (libtiff issues) Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79003
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79003
    title RHEL 6 : rhev-hypervisor6 (RHSA-2014:0339)
redhat via4
advisories
  • bugzilla
    id 1069865
    title CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment gnutls is earlier than 0:2.8.5-13.el6_5
          oval oval:com.redhat.rhsa:tst:20140246005
        • comment gnutls is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429006
      • AND
        • comment gnutls-devel is earlier than 0:2.8.5-13.el6_5
          oval oval:com.redhat.rhsa:tst:20140246011
        • comment gnutls-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429010
      • AND
        • comment gnutls-guile is earlier than 0:2.8.5-13.el6_5
          oval oval:com.redhat.rhsa:tst:20140246009
        • comment gnutls-guile is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429012
      • AND
        • comment gnutls-utils is earlier than 0:2.8.5-13.el6_5
          oval oval:com.redhat.rhsa:tst:20140246007
        • comment gnutls-utils is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429008
    rhsa
    id RHSA-2014:0246
    released 2014-03-03
    severity Important
    title RHSA-2014:0246: gnutls security update (Important)
  • bugzilla
    id 1069865
    title CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment gnutls is earlier than 0:1.4.1-14.el5_10
          oval oval:com.redhat.rhsa:tst:20140247002
        • comment gnutls is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080489003
      • AND
        • comment gnutls-devel is earlier than 0:1.4.1-14.el5_10
          oval oval:com.redhat.rhsa:tst:20140247004
        • comment gnutls-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080489005
      • AND
        • comment gnutls-utils is earlier than 0:1.4.1-14.el5_10
          oval oval:com.redhat.rhsa:tst:20140247006
        • comment gnutls-utils is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080489007
    rhsa
    id RHSA-2014:0247
    released 2014-03-03
    severity Important
    title RHSA-2014:0247: gnutls security update (Important)
  • rhsa
    id RHSA-2014:0288
  • rhsa
    id RHSA-2014:0339
rpms
  • gnutls-0:2.8.5-13.el6_5
  • gnutls-devel-0:2.8.5-13.el6_5
  • gnutls-guile-0:2.8.5-13.el6_5
  • gnutls-utils-0:2.8.5-13.el6_5
  • gnutls-0:1.4.1-14.el5_10
  • gnutls-devel-0:1.4.1-14.el5_10
  • gnutls-utils-0:1.4.1-14.el5_10
refmap via4
bid 65919
confirm
debian DSA-2869
secunia
  • 56933
  • 57103
  • 57204
  • 57254
  • 57260
  • 57274
  • 57321
suse
  • SUSE-SU-2014:0319
  • SUSE-SU-2014:0320
  • SUSE-SU-2014:0321
  • SUSE-SU-2014:0322
  • SUSE-SU-2014:0323
  • SUSE-SU-2014:0324
  • SUSE-SU-2014:0445
  • openSUSE-SU-2014:0325
  • openSUSE-SU-2014:0328
  • openSUSE-SU-2014:0346
ubuntu USN-2127-1
Last major update 28-11-2016 - 14:10
Published 06-03-2014 - 19:10
Back to Top