• Close
  • Back to search

    CESA-2010:0166: gnutls security update

    Severity CVSS Published Added Modified
    6 (AV:N/AC:M/Au:N/C:N/I:P/A:P) November 08, 2009 April 05, 2010 November 26, 2015


    The GnuTLS library provides support for cryptographic algorithms and forprotocols such as Transport Layer Security (TLS).A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthe CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491Dan Kaminsky found that browsers could accept certificates with MD2 hashsignatures, even though MD2 is no longer considered a cryptographicallystrong algorithm. This could make it easier for an attacker to create amalicious certificate that would be treated as trusted by a browser. GnuTLSnow disables the use of the MD2 algorithm inside signatures by default.(CVE-2009-2409)Users of GnuTLS are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. For the update to takeeffect, all applications linked to the GnuTLS library must be restarted, orthe system rebooted.

    Free Nexpose Download

    Discover, prioritize, and remediate security risks today!

     Download now




    Related Vulnerabilities