Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0460 -- [Slackware][Win][UNIX/Linux] gnutls: Multiple Vulnerabilities 14 May 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gnutls Publisher: Slackware Operating System: Slackware UNIX variants (UNIX, Linux, OSX) Windows Impact: Provide Misleading Information Denial of Service Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2009-1416 CVE-2009-1415 Original Bulletin: http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.405571 Comment: This advisory references vulnerabilities in products which run on platforms other than Slackware. It is recommended that administrators running gnutls check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] gnutls (SSA:2009-128-01) New gnutls packages are available for Slackware 12.0, 12.1, 12.2, and - -current to fix security issues. More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416 Here are the details from the Slackware 12.2 ChangeLog: +--------------------------+ patches/packages/gnutls-2.6.2-i486-2_slack12.2.tgz Patched the following security issues: - Corrected double free on signature verification failure. Reported by Miroslav Kratochvil <exa.exa@gmail.com>. - Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS 2.6.x are corrupt. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ HINT: Getting slow download speeds from ftp.slackware.com? Give slackware.osuosl.org a try. This is another primary FTP site for Slackware that can be considerably faster than downloading directly from ftp.slackware.com. Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating additional FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.0: ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/gnutls-2.6.2-i486-2_slack12.0.tgz Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/gnutls-2.6.2-i486-2_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/gnutls-2.6.2-i486-2_slack12.2.tgz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-2.6.6-i486-1.txz MD5 signatures: +-------------+ Slackware 12.0 package: 0028d3e43ed87ae20cfd5264676d86ba gnutls-2.6.2-i486-2_slack12.0.tgz Slackware 12.1 package: c5a62819b7ef93ee41ed4c05d6f56c02 gnutls-2.6.2-i486-2_slack12.1.tgz Slackware 12.2 package: eb930f4c0361e4e0bd24044a3c386ce7 gnutls-2.6.2-i486-2_slack12.2.tgz Slackware -current package: c277628054339e0c999daabb94b5a7fb gnutls-2.6.6-i486-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg gnutls-2.6.2-i486-2_slack12.2.tgz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoE69YACgkQakRjwEAQIjN6pQCePXmuDPiyTBD7TJJwrS2kXv2E kyUAoIb/q1YsJI6nCgg6uHyITQTvkGU6 =JT+2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKENZ/NVH5XJJInbgRAv/eAKCEVLJ8/PQtptxu6B18OUfgbG/IDwCfZ31S Y2r2pOw8FpG+uqSfPhszhbs= =MIvO -----END PGP SIGNATURE-----