http://kb.digibase.ca/api.php?action=feedcontributions&user=LazloPsylus&feedformat=atomDigibase Knowledge Base - User contributions [en]2024-03-29T10:49:07ZUser contributionsMediaWiki 1.31.1http://kb.digibase.ca/index.php?title=DBSA-Redir:DBSA-2014-0006_GnuTLS_TLS/SSL_Vulnerability&diff=571DBSA-Redir:DBSA-2014-0006 GnuTLS TLS/SSL Vulnerability2014-03-06T07:14:14Z<p>LazloPsylus: Redirected page to DBSA:2014-0006</p>
<hr />
<div>#REDIRECT [[DBSA:2014-0006]]<br />
<br />
[[Category:DBSA-Redir]]</div>LazloPsylushttp://kb.digibase.ca/index.php?title=DBSA:2014-0006&diff=569DBSA:2014-00062014-03-06T06:49:51Z<p>LazloPsylus: </p>
<hr />
<div>{{DBSAHEAD<br />
| TITLE=GnuTLS TLS/SSL Vulnerability<br />
| KEYWORDS=SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU<br />
}}<br />
<br />
'''DBSA ID:''' {{PAGENAME}}<br />
<br />
'''Regarding:''' GnuTLS TLS/SSL Vulnerability <br />
<br />
'''Writeup:''' [[User:LazloPsylus|LazloPsylus]] ([[User talk:LazloPsylus|talk]]) 01:35, 6 March 2014 (EST)<br />
<br />
'''Date:''' 2014 03 06<br />
<br />
'''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONUSER}}<br />
<br />
'''Who should take note:''' GNU software users and administrators <br />
<br />
==Classification==<br />
<br />
'''Priority:''' HIGH<br />
<br />
'''Rationale:''' Information may be disclosed without immediate reaction<br />
<br />
'''Severity:''' HIGH<br />
<br />
'''Rationale:''' Trusted encrypted connections may be at risk<br />
<br />
'''Spread of Issue:''' MULTI-PLATFORM HIGH<br />
<br />
'''Rationale:''' Affects all software that links against GnuTLS, regardless of platform or system.<br />
<br />
==Description==<br />
GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.<br />
<br />
*All versions of GnuTLS prior to 3.2.12 are vulnerable.<br />
<br />
For further technical information, refer to CVE-2014-0092<br />
<br />
==Mitigation/Solution==<br />
All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.<br />
<br />
==References==<br />
*https://rhn.redhat.com/errata/RHSA-2014-0247.html<br />
*https://access.redhat.com/security/cve/CVE-2014-0092<br />
<br />
[[Category:DBSA|2014]]</div>LazloPsylushttp://kb.digibase.ca/index.php?title=DBSA:2014-0006&diff=568DBSA:2014-00062014-03-06T06:35:29Z<p>LazloPsylus: Created page with "{{DBSAHEAD | TITLE=GnuTLS TLS/SSL Vulnerability | KEYWORDS=SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' GnuTLS TLS/SSL ..."</p>
<hr />
<div>{{DBSAHEAD<br />
| TITLE=GnuTLS TLS/SSL Vulnerability<br />
| KEYWORDS=SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU<br />
}}<br />
<br />
'''DBSA ID:''' {{PAGENAME}}<br />
<br />
'''Regarding:''' GnuTLS TLS/SSL Vulnerability <br />
<br />
'''Writeup:''' [[User:LazloPsylus|LazloPsylus]] ([[User talk:LazloPsylus|talk]]) 01:35, 6 March 2014 (EST)<br />
<br />
'''Date:''' 2014 03 06<br />
<br />
'''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONUSER}}<br />
<br />
'''Who should take note:''' GNU software users and administrators <br />
<br />
==Classification==<br />
<br />
'''Priority:''' HIGH<br />
<br />
'''Rationale:''' Information may be disclosed without immediate reaction<br />
<br />
'''Severity:''' HIGH<br />
<br />
'''Rationale:''' Trusted encrypted connections may be at risk<br />
<br />
'''Spread of Issue:''' MULTI-PLATFORM HIGH<br />
<br />
'''Rationale:''' Affects all software that links against GnuTLS, regardless of platform or system.<br />
<br />
==Description==<br />
GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.<br />
<br />
*All versions of GnuTLS prior to 3.2.12 are vulnerable.<br />
<br />
For further technical information, refer to CVE-2014-0092<br />
<br />
==Mitigation/Solution==<br />
All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.<br />
<br />
==References==<br />
*https://rhn.redhat.com/errata/RHSA-2014-0247.html<br />
<br />
[[Category:DBSA|2014]]</div>LazloPsylus