Rapid7 Vulnerability & Exploit Database

RHSA-2010:0167: gnutls security update

Back to Search

RHSA-2010:0167: gnutls security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
03/26/2010
Created
07/25/2018
Added
04/06/2010
Modified
07/04/2017

Description

The GnuTLS library provides support for cryptographic algorithms and forprotocols such as Transport Layer Security (TLS).A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthe CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491A flaw was found in the way GnuTLS extracted serial numbers from X.509certificates. On 64-bit big endian platforms, this flaw could cause thecertificate revocation list (CRL) check to be bypassed; cause variousGnuTLS utilities to crash; or, possibly, execute arbitrary code.(CVE-2010-0731)Users of GnuTLS are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. For the update to takeeffect, all applications linked to the GnuTLS library must be restarted, orthe system rebooted.

Solution(s)

  • redhat-upgrade-gnutls
  • redhat-upgrade-gnutls-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;