gnutls-1.4.1-3.8.0.1.AXS3
エラータID: AXSA:2010-153:01
リリース日:
2010/03/26 Friday - 15:54
題名:
gnutls-1.4.1-3.8.0.1.AXS3
影響のあるチャネル:
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Secure Sockets Layer (SSL) および Transport Layer Security (TLS) プロトコルには、renegotiation 機能に脆弱性が存在します。(CVE-2009-3555)
- Firefox で使われている NSS ライブラリは、X.509 証明書のMD2 をサポートしていますが、リモートの攻撃者が総当たり攻撃よりも短い時間でハッシュ衝突を生成するMD2 デザインフローを用いて証明書を偽る可能性のある脆弱性があります。(CVE-2009-2409)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVE-2009-2409
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
追加情報:
N/A
ダウンロード:
SRPMS
- gnutls-1.4.1-3.8.0.1.AXS3.src.rpm
MD5: ddc91e0fe3ca4449b7975ac4a8606e0f
SHA-256: fcbee19348d075166e61af9d86d7c27c2c09ebdb7be39af76ed5118d57dbfa5d
Size: 3.88 MB
Asianux Server 3 for x86
- gnutls-1.4.1-3.8.0.1.AXS3.i386.rpm
MD5: 40f98c7fce69e9da321f796334bce5c7
SHA-256: 72381fd2acb5ee224c132978160786e64d644d44c6e2f89ba601fa893e6a6452
Size: 373.30 kB - gnutls-devel-1.4.1-3.8.0.1.AXS3.i386.rpm
MD5: 13d471dab63bc42bbf953bbf4f27be2e
SHA-256: 303d59d492ec2e8a8674ee176a3503c002967c2699b3816a962235f1e9117587
Size: 927.41 kB
Asianux Server 3 for x86_64
- gnutls-1.4.1-3.8.0.1.AXS3.x86_64.rpm
MD5: 66b806cfd8c774f62f576765b3d6b139
SHA-256: c72879ca941801edb3eec2c3cbeb39e2c6a1072ac3c7277bf65e7b92ad1b9fd4
Size: 386.85 kB - gnutls-devel-1.4.1-3.8.0.1.AXS3.x86_64.rpm
MD5: 4dd9a72dc0888c5cf49d2a3cca3fba0e
SHA-256: 10b9362c8644166e55c90ee10db5174f2abab15ba01bf464bd46049a63226a47
Size: 945.81 kB