Ubuntu Security Notice 2540-1 - It was discovered that GnuTLS did not perform date and time checks on CA certificates, contrary to expectations. This issue only affected Ubuntu 10.04 LTS. Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly verified that signature algorithms matched. A remote attacker could possibly use this issue to downgrade to a disallowed algorithm. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Various other issues were also addressed.
faa3f38df2a778a2e8d6ecb02bc1d46cf098d1bce9d470cf79399514146a00c2
============================================================================
Ubuntu Security Notice USN-2540-1
March 23, 2015
gnutls26, gnutls28 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in GnuTLS.
Software Description:
- gnutls28: GNU TLS library
- gnutls26: GNU TLS library
Details:
It was discovered that GnuTLS did not perform date and time checks on
CA certificates, contrary to expectations. This issue only affected
Ubuntu 10.04 LTS. (CVE-2014-8155)
Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly verified that
signature algorithms matched. A remote attacker could possibly use this
issue to downgrade to a disallowed algorithm. This issue only affected
Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-0282)
It was discovered that GnuTLS incorrectly verified certificate algorithms.
A remote attacker could possibly use this issue to downgrade to a
disallowed algorithm. (CVE-2015-0294)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
libgnutls-deb0-28 3.2.16-1ubuntu2.2
Ubuntu 14.04 LTS:
libgnutls26 2.12.23-12ubuntu2.2
Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.9
Ubuntu 10.04 LTS:
libgnutls26 2.8.5-2ubuntu0.7
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2540-1
CVE-2014-8155, CVE-2015-0282, CVE-2015-0294
Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.2.16-1ubuntu2.2
https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.2
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.9
https://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.7