ID CVE-2014-3466
Summary Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.
References
Vulnerable Configurations
  • GNU GnuTLS 3.3.3
    cpe:2.3:a:gnu:gnutls:3.3.3
  • GNU GnuTLS 3.3.2
    cpe:2.3:a:gnu:gnutls:3.3.2
  • GNU GnuTLS 3.3.1
    cpe:2.3:a:gnu:gnutls:3.3.1
  • GNU GnuTLS 3.3.0
    cpe:2.3:a:gnu:gnutls:3.3.0
  • GNU GnuTLS 3.3.0 pre0
    cpe:2.3:a:gnu:gnutls:3.3.0:pre0
  • GNU GnuTLS 3.1.24
    cpe:2.3:a:gnu:gnutls:3.1.24
  • GNU GnuTLS 3.1.23
    cpe:2.3:a:gnu:gnutls:3.1.23
  • GNU GnuTLS 3.1.0
    cpe:2.3:a:gnu:gnutls:3.1.0
  • GNU GnuTLS 3.1.1
    cpe:2.3:a:gnu:gnutls:3.1.1
  • GNU GnuTLS 3.1.10
    cpe:2.3:a:gnu:gnutls:3.1.10
  • GNU GnuTLS 3.1.11
    cpe:2.3:a:gnu:gnutls:3.1.11
  • GNU GnuTLS 3.1.12
    cpe:2.3:a:gnu:gnutls:3.1.12
  • GNU GnuTLS 3.1.13
    cpe:2.3:a:gnu:gnutls:3.1.13
  • GNU GnuTLS 3.1.14
    cpe:2.3:a:gnu:gnutls:3.1.14
  • GNU GnuTLS 3.1.15
    cpe:2.3:a:gnu:gnutls:3.1.15
  • GNU GnuTLS 3.1.16
    cpe:2.3:a:gnu:gnutls:3.1.16
  • GNU GnuTLS 3.1.17
    cpe:2.3:a:gnu:gnutls:3.1.17
  • GNU GnuTLS 3.1.18
    cpe:2.3:a:gnu:gnutls:3.1.18
  • GNU GnuTLS 3.1.19
    cpe:2.3:a:gnu:gnutls:3.1.19
  • GNU GnuTLS 3.1.2
    cpe:2.3:a:gnu:gnutls:3.1.2
  • GNU GnuTLS 3.1.20
    cpe:2.3:a:gnu:gnutls:3.1.20
  • GNU GnuTLS 3.1.21
    cpe:2.3:a:gnu:gnutls:3.1.21
  • GNU GnuTLS 3.1.22
    cpe:2.3:a:gnu:gnutls:3.1.22
  • GNU GnuTLS 3.1.3
    cpe:2.3:a:gnu:gnutls:3.1.3
  • GNU GnuTLS 3.1.4
    cpe:2.3:a:gnu:gnutls:3.1.4
  • GNU GnuTLS 3.1.5
    cpe:2.3:a:gnu:gnutls:3.1.5
  • GNU GnuTLS 3.1.6
    cpe:2.3:a:gnu:gnutls:3.1.6
  • GNU GnuTLS 3.1.7
    cpe:2.3:a:gnu:gnutls:3.1.7
  • GNU GnuTLS 3.1.8
    cpe:2.3:a:gnu:gnutls:3.1.8
  • GNU GnuTLS 3.1.9
    cpe:2.3:a:gnu:gnutls:3.1.9
  • GNU GnuTLS 3.2.13
    cpe:2.3:a:gnu:gnutls:3.2.13
  • GNU GnuTLS 3.2.14
    cpe:2.3:a:gnu:gnutls:3.2.14
  • GNU GnuTLS 3.2.0
    cpe:2.3:a:gnu:gnutls:3.2.0
  • GNU GnuTLS 3.2.1
    cpe:2.3:a:gnu:gnutls:3.2.1
  • GNU GnuTLS 3.2.10
    cpe:2.3:a:gnu:gnutls:3.2.10
  • GNU GnuTLS 3.2.11
    cpe:2.3:a:gnu:gnutls:3.2.11
  • GNU GnuTLS 3.2.12
    cpe:2.3:a:gnu:gnutls:3.2.12
  • GNU GnuTLS 3.2.12.1
    cpe:2.3:a:gnu:gnutls:3.2.12.1
  • GNU GnuTLS 3.2.2
    cpe:2.3:a:gnu:gnutls:3.2.2
  • GNU GnuTLS 3.2.3
    cpe:2.3:a:gnu:gnutls:3.2.3
  • GNU GnuTLS 3.2.4
    cpe:2.3:a:gnu:gnutls:3.2.4
  • GNU GnuTLS 3.2.5
    cpe:2.3:a:gnu:gnutls:3.2.5
  • GNU GnuTLS 3.2.6
    cpe:2.3:a:gnu:gnutls:3.2.6
  • GNU GnuTLS 3.2.7
    cpe:2.3:a:gnu:gnutls:3.2.7
  • GNU GnuTLS 3.2.8
    cpe:2.3:a:gnu:gnutls:3.2.8
  • GNU GnuTLS 3.2.8.1
    cpe:2.3:a:gnu:gnutls:3.2.8.1
  • GNU GnuTLS 3.2.9
    cpe:2.3:a:gnu:gnutls:3.2.9
CVSS
Base: 6.8 (as of 11-08-2015 - 09:59)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6963.NASL
    description Version 3.1.25 (released 2014-05-30) - libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. - libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. - libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 74413
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74413
    title Fedora 19 : mingw-gnutls-3.1.25-1.fc19 (2014-6963)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140603_GNUTLS_ON_SL6_X.NASL
    description A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2014-06-05
    plugin id 74306
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74306
    title Scientific Linux Security Update : gnutls on SL6.x i386/x86_64
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_GNUTLS_20141120.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN. (CVE-2014-3465) - Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message. (CVE-2014-3466) - Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnutTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via a crafted ASN.1 data. (CVE-2014-3467) - The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data. (CVE-2014-3468) - The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument. (CVE-2014-3469)
    last seen 2017-10-29
    modified 2015-01-19
    plugin id 80632
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80632
    title Oracle Solaris Third-Party Patch Update : gnutls (multiple_vulnerabilities_in_gnutls)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0594.NASL
    description Updated gnutls packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.
    last seen 2017-10-29
    modified 2014-06-07
    plugin id 74309
    published 2014-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74309
    title CentOS 5 : gnutls (CESA-2014:0594)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0594.NASL
    description Updated gnutls packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 74301
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74301
    title RHEL 5 : gnutls (RHSA-2014:0594)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2944.NASL
    description Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial of service.
    last seen 2017-10-29
    modified 2015-07-23
    plugin id 74280
    published 2014-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74280
    title Debian DSA-2944-1 : gnutls26 - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-09 (GnuTLS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GnuTLS. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could utilize multiple vectors to spoof arbitrary SSL servers via a crafted certificate, execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2015-07-23
    plugin id 76061
    published 2014-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76061
    title GLSA-201406-09 : GnuTLS: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-156-01.NASL
    description New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2017-10-29
    modified 2014-06-06
    plugin id 74329
    published 2014-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74329
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnutls (SSA:2014-156-01)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-072.NASL
    description Updated gnutls packages fix security vulnerabilities : Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior) (CVE-2014-1959). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092). A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application (CVE-2014-8564).
    last seen 2017-10-29
    modified 2015-03-30
    plugin id 82325
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82325
    title Mandriva Linux Security Advisory : gnutls (MDVSA-2015:072)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-108.NASL
    description Updated gnutls packages fix security vulnerabilities : A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466).
    last seen 2017-10-29
    modified 2014-06-10
    plugin id 74417
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74417
    title Mandriva Linux Security Advisory : gnutls (MDVSA-2014:108)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140603_GNUTLS_ON_SL5_X.NASL
    description A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.
    last seen 2017-10-29
    modified 2014-06-05
    plugin id 74305
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74305
    title Scientific Linux Security Update : gnutls on SL5.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_027AF74DEB5611E39032000C2980A9F3.NASL
    description GnuTLS project reports : This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.
    last seen 2017-10-29
    modified 2014-06-05
    plugin id 74295
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74295
    title FreeBSD : gnutls -- client-side memory corruption (027af74d-eb56-11e3-9032-000c2980a9f3)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6891.NASL
    description Added fix for CVE-2014-3466 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 74316
    published 2014-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74316
    title Fedora 20 : gnutls-3.1.25-1.fc20 (2014-6891)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0815.NASL
    description An updated rhev-hypervisor6 package that fixes several security issues is now available. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting CVE-2014-3466, CVE-2014-3468, CVE-2014-3467, and CVE-2014-3469. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. This updated package provides an updated kernel component that includes fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2013-6378, CVE-2014-0203, CVE-2014-1737, CVE-2014-1738, CVE-2014-1874, CVE-2014-2039 and CVE-2014-3153 (kernel issues) Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 79108
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79108
    title RHEL 6 : rhev-hypervisor6 (RHSA-2014:0815)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2229-1.NASL
    description Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-24
    plugin id 74285
    published 2014-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74285
    title Ubuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : gnutls26 vulnerability (USN-2229-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_GNUTLS-140603.NASL
    description GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally, three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed : - Possible memory corruption during connect. (CVE-2014-3466) - Multiple boundary check issues could allow DoS. (CVE-2014-3467) - asn1_get_bit_der() can return negative bit length. (CVE-2014-3468) - Possible DoS by NULL pointer dereference (CVE-2014-3469)
    last seen 2017-10-29
    modified 2014-06-05
    plugin id 74321
    published 2014-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74321
    title SuSE 11.3 Security Update : gnutls (SAT Patch Number 9320)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_9733C480EBFF11E3970B206A8A720317.NASL
    description GnuTLS project reports : This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.
    last seen 2017-10-29
    modified 2014-06-05
    plugin id 74318
    published 2014-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74318
    title FreeBSD : gnutls -- client-side memory corruption (9733c480-ebff-11e3-970b-206a8a720317)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0594.NASL
    description From Red Hat Security Advisory 2014:0594 : Updated gnutls packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.
    last seen 2017-10-29
    modified 2017-07-05
    plugin id 74296
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74296
    title Oracle Linux 5 : gnutls (ELSA-2014-0594)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0595.NASL
    description Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2014-06-07
    plugin id 74310
    published 2014-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74310
    title CentOS 6 : gnutls (CESA-2014:0595)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-411.NASL
    description gnutls was patched to fix two security vulnerabilities that could be used to disrupt service or potentially allow remote code execution. - Memory corruption during connect (CVE-2014-3466) - NULL pointer dereference in gnutls_x509_dn_oid_name (CVE-2014-3465)
    last seen 2017-10-29
    modified 2014-06-13
    plugin id 75384
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75384
    title openSUSE Security Update : gnutls (openSUSE-SU-2014:0763-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0684.NASL
    description Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) A NULL pointer dereference flaw was found in the way GnuTLS parsed X.509 certificates. A specially crafted certificate could cause a server or client application using GnuTLS to crash. (CVE-2014-3465) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 76893
    published 2014-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76893
    title RHEL 7 : gnutls (RHSA-2014:0684)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0595.NASL
    description From Red Hat Security Advisory 2014:0595 : Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2015-12-01
    plugin id 74297
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74297
    title Oracle Linux 6 : gnutls (ELSA-2014-0595)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6881.NASL
    description Added fix for CVE-2014-3466 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 74403
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74403
    title Fedora 19 : gnutls-3.1.20-5.fc19 (2014-6881)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0684.NASL
    description From Red Hat Security Advisory 2014:0684 : Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) A NULL pointer dereference flaw was found in the way GnuTLS parsed X.509 certificates. A specially crafted certificate could cause a server or client application using GnuTLS to crash. (CVE-2014-3465) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2015-12-01
    plugin id 76731
    published 2014-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76731
    title Oracle Linux 7 : gnutls (ELSA-2014-0684)
  • NASL family Windows
    NASL id VLC_2_1_5.NASL
    description The version of VLC media player installed on the remote host is prior to 2.1.5. It is, therefore, affected by the following vulnerabilities : - An error exists in the png_push_read_chunk() function within the file 'pngpread.c' from the included libpng library that can allow denial of service attacks. (CVE-2014-0333) - A buffer overflow error exists in the read_server_hello() function within the file 'lib/gnutls_handshake.c' from the included GnuTLS library that can allow arbitrary code execution or denial of service. (CVE-2014-3466) - A heap-based buffer overflow error exists in the transcode module due to improper validation of user-supplied input when handling invalid channel counts. An attacker can exploit this to execute arbitrary code. (CVE-2014-6440)
    last seen 2017-10-29
    modified 2015-03-05
    plugin id 78626
    published 2014-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78626
    title VLC Media Player < 2.1.5 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0595.NASL
    description Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 74302
    published 2014-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74302
    title RHEL 6 : gnutls (RHSA-2014:0595)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6953.NASL
    description Version 3.1.25 (released 2014-05-30) - libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. - libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. - libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. Version 3.2.14 (released 2014-05-06) - libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. - libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. - libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. - libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. - libgnutls: Several small bug fixes found by coverity. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 74410
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74410
    title Fedora 20 : mingw-gnutls-3.1.25-1.fc20 (2014-6953)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-352.NASL
    description A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466)
    last seen 2017-10-29
    modified 2015-01-30
    plugin id 78295
    published 2014-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78295
    title Amazon Linux AMI : gnutls (ALAS-2014-352)
redhat via4
advisories
  • bugzilla
    id 1101932
    title CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment gnutls is earlier than 0:2.8.5-14.el6_5
          oval oval:com.redhat.rhsa:tst:20140595005
        • comment gnutls is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429006
      • AND
        • comment gnutls-guile is earlier than 0:2.8.5-14.el6_5
          oval oval:com.redhat.rhsa:tst:20140595009
        • comment gnutls-guile is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429012
      • AND
        • comment gnutls-devel is earlier than 0:2.8.5-14.el6_5
          oval oval:com.redhat.rhsa:tst:20140595007
        • comment gnutls-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429010
      • AND
        • comment gnutls-utils is earlier than 0:2.8.5-14.el6_5
          oval oval:com.redhat.rhsa:tst:20140595011
        • comment gnutls-utils is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429008
    rhsa
    id RHSA-2014:0595
    released 2014-06-03
    severity Important
    title RHSA-2014:0595: gnutls security update (Important)
  • bugzilla
    id 1101932
    title CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment gnutls-devel is earlier than 0:3.1.18-9.el7_0
          oval oval:com.redhat.rhsa:tst:20140684013
        • comment gnutls-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429010
      • AND
        • comment gnutls-utils is earlier than 0:3.1.18-9.el7_0
          oval oval:com.redhat.rhsa:tst:20140684011
        • comment gnutls-utils is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429008
      • AND
        • comment gnutls-dane is earlier than 0:3.1.18-9.el7_0
          oval oval:com.redhat.rhsa:tst:20140684007
        • comment gnutls-dane is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140684008
      • AND
        • comment gnutls-c++ is earlier than 0:3.1.18-9.el7_0
          oval oval:com.redhat.rhsa:tst:20140684009
        • comment gnutls-c++ is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140684010
      • AND
        • comment gnutls is earlier than 0:3.1.18-9.el7_0
          oval oval:com.redhat.rhsa:tst:20140684005
        • comment gnutls is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120429006
    rhsa
    id RHSA-2014:0684
    released 2014-06-10
    severity Important
    title RHSA-2014:0684: gnutls security update (Important)
  • rhsa
    id RHSA-2014:0594
  • rhsa
    id RHSA-2014:0815
rpms
  • gnutls-0:1.4.1-16.el5_10
  • gnutls-devel-0:1.4.1-16.el5_10
  • gnutls-utils-0:1.4.1-16.el5_10
  • gnutls-0:2.8.5-14.el6_5
  • gnutls-guile-0:2.8.5-14.el6_5
  • gnutls-devel-0:2.8.5-14.el6_5
  • gnutls-utils-0:2.8.5-14.el6_5
  • gnutls-devel-0:3.1.18-9.el7_0
  • gnutls-utils-0:3.1.18-9.el7_0
  • gnutls-dane-0:3.1.18-9.el7_0
  • gnutls-c++-0:3.1.18-9.el7_0
  • gnutls-0:3.1.18-9.el7_0
refmap via4
bid 67741
confirm
debian DSA-2944
misc http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/
sectrack 1030314
secunia
  • 58340
  • 58598
  • 58601
  • 58642
  • 59016
  • 59021
  • 59057
  • 59086
  • 59408
  • 59838
  • 60384
suse
  • openSUSE-SU-2014:0763
  • openSUSE-SU-2014:0767
the hacker news via4
id THN:937768D6B12230A0FC6ABDEA970C16EA
last seen 2017-01-08
modified 2014-06-04
published 2014-06-04
reporter Mohit Kumar
source http://thehackernews.com/2014/06/critical-gnutls-flaw-leaves-ssl-clients.html
title Critical GnuTLS Flaw Leaves SSL Clients Vulnerable to Remote Code Execution
Last major update 06-01-2017 - 21:59
Published 03-06-2014 - 10:55
Back to Top