-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:116 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gnutls Date : May 18, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in gnutls: lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free (CVE-2009-1415). lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key (CVE-2009-1416). gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup (CVE-2009-1417). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 6d7ecb7d91ba28868368b87e8053aea7 2008.1/i586/gnutls-2.3.0-2.5mdv2008.1.i586.rpm 96b8911ca78bf3e5fc613c712ff981d8 2008.1/i586/libgnutls26-2.3.0-2.5mdv2008.1.i586.rpm d6a02014de6dc2a0c15a2760e137bb51 2008.1/i586/libgnutls-devel-2.3.0-2.5mdv2008.1.i586.rpm 3fb2fe697587a4207059124a71ff44a1 2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b2a99ca654a7c67bfdc77c8c13d748d9 2008.1/x86_64/gnutls-2.3.0-2.5mdv2008.1.x86_64.rpm ecd43a69e956d43346c45450c7fc9051 2008.1/x86_64/lib64gnutls26-2.3.0-2.5mdv2008.1.x86_64.rpm 4347df4cc5403f6a427d9cd1e52080ea 2008.1/x86_64/lib64gnutls-devel-2.3.0-2.5mdv2008.1.x86_64.rpm 3fb2fe697587a4207059124a71ff44a1 2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm Mandriva Linux 2009.0: c28c925bd7f0269611ac9c6dd392df28 2009.0/i586/gnutls-2.4.1-2.4mdv2009.0.i586.rpm 7a41677834cb818e4e8423fa2360e5e8 2009.0/i586/libgnutls26-2.4.1-2.4mdv2009.0.i586.rpm d47da33eac7b6477f2690c153d2e4408 2009.0/i586/libgnutls-devel-2.4.1-2.4mdv2009.0.i586.rpm dc2307362de50d642550c68a952e69aa 2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 50eb92f492ac913e11223cf407df5cd4 2009.0/x86_64/gnutls-2.4.1-2.4mdv2009.0.x86_64.rpm e365c536596584def2d8b61ab4ad63a9 2009.0/x86_64/lib64gnutls26-2.4.1-2.4mdv2009.0.x86_64.rpm 13d3880ff941cf06ea4fedeed9ed927b 2009.0/x86_64/lib64gnutls-devel-2.4.1-2.4mdv2009.0.x86_64.rpm dc2307362de50d642550c68a952e69aa 2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm Mandriva Linux 2009.1: bc07281e83debdbb5e652d0b84899c47 2009.1/i586/gnutls-2.6.4-1.2mdv2009.1.i586.rpm 89a97dd8d4cd8b717eacffdcf6d1fe59 2009.1/i586/libgnutls26-2.6.4-1.2mdv2009.1.i586.rpm cbaed84e3b4d9787c4c230b6fa44b7cc 2009.1/i586/libgnutls-devel-2.6.4-1.2mdv2009.1.i586.rpm 96fc806f2ac7db65af86ca7c6513d0f4 2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c785b4b48f78089add92553b67ecf7a5 2009.1/x86_64/gnutls-2.6.4-1.2mdv2009.1.x86_64.rpm 5c68d534e8741114dfbb9ddd937badf7 2009.1/x86_64/lib64gnutls26-2.6.4-1.2mdv2009.1.x86_64.rpm d21fab6a3225a1333b757707bbfa7be9 2009.1/x86_64/lib64gnutls-devel-2.6.4-1.2mdv2009.1.x86_64.rpm 96fc806f2ac7db65af86ca7c6513d0f4 2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm Corporate 4.0: 72433f7e4e0952eabf5838e7de56f9cb corporate/4.0/i586/gnutls-1.0.25-2.4.20060mlcs4.i586.rpm 7a3ba08830a820772bb2ffdda5bd9304 corporate/4.0/i586/libgnutls11-1.0.25-2.4.20060mlcs4.i586.rpm cb04b2511750d20901be98da67a287c9 corporate/4.0/i586/libgnutls11-devel-1.0.25-2.4.20060mlcs4.i586.rpm 2c5ddb3d77debdb4eb619896d264ef36 corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 84d3e0ac9c3b992b4d7dadd3f4a83f4f corporate/4.0/x86_64/gnutls-1.0.25-2.4.20060mlcs4.x86_64.rpm 4e97802d216f69842e6a373aa5d83aeb corporate/4.0/x86_64/lib64gnutls11-1.0.25-2.4.20060mlcs4.x86_64.rpm 8af535b1023b577afbe122344fad21be corporate/4.0/x86_64/lib64gnutls11-devel-1.0.25-2.4.20060mlcs4.x86_64.rpm 2c5ddb3d77debdb4eb619896d264ef36 corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKEU9PmqjQ0CJFipgRAqReAKD1n+ojNrGr4Ma04VzXwbqh6OzDYQCg0IfH 8SmPTI0PYNZR4Y+HFkaLlrU= =g2Fs -----END PGP SIGNATURE-----