what you don't know can hurt you
Showing 1 - 10 of 10 RSS Feed

CVE-2014-0092

Status Candidate

Overview

lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Related Files

Mandriva Linux Security Advisory 2015-072
Posted Mar 27, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-072 - Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs. A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC certificates or certificate signing requests. A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application.

tags | advisory, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2014-0092, CVE-2014-1959, CVE-2014-3465, CVE-2014-3466, CVE-2014-8564
MD5 | e566a58bdd0bfa6882bfa214b12d9c86
Gentoo Linux Security Advisory 201406-09
Posted Jun 16, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201406-9 - Multiple vulnerabilities have been discovered in GnuTLS, the worst of which could lead to arbitrary code execution. Versions less than 2.12.23-r6 are affected.

tags | advisory, arbitrary, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2014-0092, CVE-2014-1959, CVE-2014-3465, CVE-2014-3466
MD5 | a152162582871add2bfa4c10a51fe680
Red Hat Security Advisory 2014-0339-01
Posted Mar 31, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0339-01 - The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.

tags | advisory, kernel
systems | linux, redhat
advisories | CVE-2013-1860, CVE-2014-0055, CVE-2014-0092
MD5 | f0331f590830fdb46dbb9a21e14ae2ca
Red Hat Security Advisory 2014-0288-01
Posted Mar 12, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0288-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2014-0092
MD5 | 98c89b4f6cdb28bf4a522253153c2076
Mandriva Linux Security Advisory 2014-048
Posted Mar 10, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-048 - It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.

tags | advisory
systems | linux, mandriva
advisories | CVE-2014-0092
MD5 | c334b809d30468c5dc43c9c7e3c8e9af
Ubuntu Security Notice USN-2127-1
Posted Mar 5, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2127-1 - Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled certificate verification functions. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited with specially crafted certificates to view sensitive information.

tags | advisory, remote
systems | linux, ubuntu
advisories | CVE-2014-0092
MD5 | eefd25789ab3cd0adff0d5b930267d74
Slackware Security Advisory - gnutls Updates
Posted Mar 4, 2014
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

tags | advisory
systems | linux, slackware
advisories | CVE-2014-0092
MD5 | d61450c97a7e42c65090775ad3e66c6a
Debian Security Advisory 2869-1
Posted Mar 3, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2869-1 - Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported successfully even in cases were an error would prevent all verification steps to be performed.

tags | advisory
systems | linux, redhat, debian
advisories | CVE-2014-0092
MD5 | 6b1c6be793ed2ff268e2e395fa4efc65
Red Hat Security Advisory 2014-0247-01
Posted Mar 3, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0247-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2009-5138, CVE-2014-0092
MD5 | 9604dc50e5adabee1bde3a63778ced63
Red Hat Security Advisory 2014-0246-01
Posted Mar 3, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0246-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2014-0092
MD5 | 24b2e2d69c95b97113d0e74298f17040
Page 1 of 1
Back1Next

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close