-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

               ESB-2009.0460 -- [Slackware][Win][UNIX/Linux]
                     gnutls: Multiple Vulnerabilities
                                14 May 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              gnutls
Publisher:            Slackware
Operating System:     Slackware
                      UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Provide Misleading Information
                      Denial of Service
                      Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-1416 CVE-2009-1415

Original Bulletin:
  http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.405571

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Slackware. It is recommended that
         administrators running gnutls check for an updated version of the
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  gnutls (SSA:2009-128-01)

New gnutls packages are available for Slackware 12.0, 12.1, 12.2, and
- -current to fix security issues.

More details about the issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416


Here are the details from the Slackware 12.2 ChangeLog:
+--------------------------+
patches/packages/gnutls-2.6.2-i486-2_slack12.2.tgz
  Patched the following security issues:
  - Corrected double free on signature verification failure.
  Reported by Miroslav Kratochvil <exa.exa@gmail.com>.
  - Noticed when investigating the previous GNUTLS-SA-2009-1 problem.
  All DSA keys generated using GnuTLS 2.6.x are corrupt.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

HINT:  Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try.  This is another primary FTP site
for Slackware that can be considerably faster than downloading
directly from ftp.slackware.com.

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating additional FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/gnutls-2.6.2-i486-2_slack12.0.tgz

Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/gnutls-2.6.2-i486-2_slack12.1.tgz

Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/gnutls-2.6.2-i486-2_slack12.2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnutls-2.6.6-i486-1.txz


MD5 signatures:
+-------------+

Slackware 12.0 package:
0028d3e43ed87ae20cfd5264676d86ba  gnutls-2.6.2-i486-2_slack12.0.tgz

Slackware 12.1 package:
c5a62819b7ef93ee41ed4c05d6f56c02  gnutls-2.6.2-i486-2_slack12.1.tgz

Slackware 12.2 package:
eb930f4c0361e4e0bd24044a3c386ce7  gnutls-2.6.2-i486-2_slack12.2.tgz

Slackware -current package:
c277628054339e0c999daabb94b5a7fb  gnutls-2.6.6-i486-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg gnutls-2.6.2-i486-2_slack12.2.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoE69YACgkQakRjwEAQIjN6pQCePXmuDPiyTBD7TJJwrS2kXv2E
kyUAoIb/q1YsJI6nCgg6uHyITQTvkGU6
=JT+2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKENZ/NVH5XJJInbgRAv/eAKCEVLJ8/PQtptxu6B18OUfgbG/IDwCfZ31S
Y2r2pOw8FpG+uqSfPhszhbs=
=MIvO
-----END PGP SIGNATURE-----