gnutls-1.4.1-3.8.0.1.AXS3

エラータID: AXSA:2010-153:01

Release date: 
Friday, March 26, 2010 - 15:54
Subject: 
gnutls-1.4.1-3.8.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

The GNU TLS library implements TLS and support for cryptographic algorithms.
Security issues fixed with this releasse:
CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a 'plaintext injection' attack, aka the 'Project Mogul' issue.
CVE-2009-2409
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Solution: 

Update packages.

CVEs: 
CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVE-2009-2409
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Additional Info: 

N/A

Download: 

SRPMS
  1. gnutls-1.4.1-3.8.0.1.AXS3.src.rpm
    MD5: ddc91e0fe3ca4449b7975ac4a8606e0f
    SHA-256: fcbee19348d075166e61af9d86d7c27c2c09ebdb7be39af76ed5118d57dbfa5d
    Size: 3.88 MB

Asianux Server 3 for x86
  1. gnutls-1.4.1-3.8.0.1.AXS3.i386.rpm
    MD5: 40f98c7fce69e9da321f796334bce5c7
    SHA-256: 72381fd2acb5ee224c132978160786e64d644d44c6e2f89ba601fa893e6a6452
    Size: 373.30 kB
  2. gnutls-devel-1.4.1-3.8.0.1.AXS3.i386.rpm
    MD5: 13d471dab63bc42bbf953bbf4f27be2e
    SHA-256: 303d59d492ec2e8a8674ee176a3503c002967c2699b3816a962235f1e9117587
    Size: 927.41 kB

Asianux Server 3 for x86_64
  1. gnutls-1.4.1-3.8.0.1.AXS3.x86_64.rpm
    MD5: 66b806cfd8c774f62f576765b3d6b139
    SHA-256: c72879ca941801edb3eec2c3cbeb39e2c6a1072ac3c7277bf65e7b92ad1b9fd4
    Size: 386.85 kB
  2. gnutls-devel-1.4.1-3.8.0.1.AXS3.x86_64.rpm
    MD5: 4dd9a72dc0888c5cf49d2a3cca3fba0e
    SHA-256: 10b9362c8644166e55c90ee10db5174f2abab15ba01bf464bd46049a63226a47
    Size: 945.81 kB