-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:108 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : gnutls Date : June 9, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated gnutls packages fix security vulnerabilities: A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 http://advisories.mageia.org/MGASA-2014-0248.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: e9d619b4d917c9e322c43e1589e00cf9 mbs1/x86_64/gnutls-3.0.28-1.7.mbs1.x86_64.rpm ba96fe08901ad527c4a9be1985429301 mbs1/x86_64/lib64gnutls28-3.0.28-1.7.mbs1.x86_64.rpm dacba924eeafab91fd6215da5820c11e mbs1/x86_64/lib64gnutls-devel-3.0.28-1.7.mbs1.x86_64.rpm bbbdad730440b4fdfa1d1903c90f008d mbs1/x86_64/lib64gnutls-ssl27-3.0.28-1.7.mbs1.x86_64.rpm 169be2c8e116c6e639ca981233ef3b7a mbs1/SRPMS/gnutls-3.0.28-1.7.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTldtJmqjQ0CJFipgRAuYJAKCuDqqqMfnj1NlfVM2wR7GzNsd/pgCeKrIf hnMh1JBwllVk1L+UCLa6jfs= =u0HM -----END PGP SIGNATURE-----