Vulnerability & Exploit Database

Back to search

CESA-2010:0166: gnutls security update

Severity CVSS Published Added Modified
6 (AV:N/AC:M/Au:N/C:N/I:P/A:P) November 08, 2009 April 05, 2010 November 26, 2015

Description

The GnuTLS library provides support for cryptographic algorithms and forprotocols such as Transport Layer Security (TLS).A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthe CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491Dan Kaminsky found that browsers could accept certificates with MD2 hashsignatures, even though MD2 is no longer considered a cryptographicallystrong algorithm. This could make it easier for an attacker to create amalicious certificate that would be treated as trusted by a browser. GnuTLSnow disables the use of the MD2 algorithm inside signatures by default.(CVE-2009-2409)Users of GnuTLS are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. For the update to takeeffect, all applications linked to the GnuTLS library must be restarted, orthe system rebooted.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

linuxrpm-upgrade-centos50-ia64-gnutls

Related Vulnerabilities