Difference between revisions of "DBSA:2014-0006"
LazloPsylus (talk | contribs) (Created page with "{{DBSAHEAD | TITLE=GnuTLS TLS/SSL Vulnerability | KEYWORDS=SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' GnuTLS TLS/SSL ...") |
(No difference)
|
Revision as of 02:35, 6 March 2014
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - GnuTLS TLS/SSL Vulnerability
Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, GNU
DBSA ID: 2014-0006
Regarding: GnuTLS TLS/SSL Vulnerability
Writeup: LazloPsylus (talk) 01:35, 6 March 2014 (EST)
Date: 2014 03 06
Last Modified: 20140306023529 by LazloPsylus
Who should take note: GNU software users and administrators
Classification
Priority: HIGH
Rationale: Information may be disclosed without immediate reaction
Severity: HIGH
Rationale: Trusted encrypted connections may be at risk
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Affects all software that links against GnuTLS, regardless of platform or system.
Description
GnuTLS is an LGPL-licensed implementation of the SSL, TLS, and DTLS protocols for use by various applications to enable secure, encrypted communications. A vulnerability has been identified via an audit by Red Hat that incorrectly handles version 1 X.509 certificates, allowing malicious users with access to a valid certificate to issue certificates for other sites that GnuTLS would incorrectly accept as valid. This can be leveraged in numerous ways to compromise information thought to be protected by encryption.
- All versions of GnuTLS prior to 3.2.12 are vulnerable.
For further technical information, refer to CVE-2014-0092
Mitigation/Solution
All users are strongly advised to update their GnuTLS libraries if possible, and avoid using software utilizing any vulnerable version of GnuTLS until such software is updated to resolve the vulnerability.