Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1091 GnuTLS Security update 7 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GnuTLS Publisher: Novell Operating System: SUSE OpenSUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3469 CVE-2014-3468 CVE-2014-3467 CVE-2014-3466 Reference: ESB-2014.1062 ESB-2014.0937 ESB-2014.0934 ESB-2014.0875 ESB-2014.0873 ESB-2014.0872 ESB-2014.0860 Original Bulletin: http://www.novell.com/support/kb/doc.php?id=7015302 http://www.novell.com/support/kb/doc.php?id=7015303 Comment: This bulletin contains two (2) Novell security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- GnuTLS Security update for Novell Open Enterprise Server 2 SP3. Document ID:7015302 Creation Date:01-JUL-14 Modified Date:01-JUL-14 Novell Open Enterprise Server SUSE SUSE Linux Enterprise Server This document (7015302) is provided subject to the disclaimer at the end of this document. Environment SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4) Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3 Situation SUSE Linux Enterprise Server 10 SP4 General support has ended on 31 July 2013. Novell Open Enterprise Server 2 SP3 General support has ended on 31 July 2013. A number of GnuTLS related Security Vulnerabilities were reported. Due to the current extended support status for Novell Open Enterprise Server 2 SP3, the Novell and SUSE teams have closely collaborated to make these fix available for Novell OES2 SP3 customers. Resolution The oes2sp3-gnutls-8896 patch containing the mentioned fixes for SLES 10 SP4 is released through the public OES2 SP3 patch repositories on 30 June 2014. GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: Possible memory corruption during connect (CVE-2014-3466) Multiple boundary check issues could allow DoS (CVE-2014-3467) asn1_get_bit_der() can return negative bit length (CVE-2014-3468) Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issues: CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Cause Multiple GnuTLS related security vulnerabilities. Disclaimer This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND. - ----------------------------------------------------------------------------- GnuTLS Security update for Novell Open Enterprise Server 11 SP1. Document ID:7015303 Creation Date:01-JUL-14 Modified Date:01-JUL-14 Novell Open Enterprise Server SUSE SUSE Linux Enterprise Server This document (7015303) is provided subject to the disclaimer at the end of this document. Environment SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2) Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1 Situation SUSE Linux Enterprise Server 11 SP2 General support has ended on 31 Jan 2014. Novell Open Enterprise Server 11 SP1 General support ends on 29 Jan 2015. A number of GnuTLS related Security Vulnerabilities were reported. Due to the current support status for Novell Open Enterprise Server 11 SP1, the Novell and SUSE teams have closely collaborated to make these fix available for Novell OES11 SP1 customers. Resolution The oes11sp1-gnutls-9429 patch containing the mentioned fixes for SLES 11 SP2 is released through the public OES11 SP1 patch repositories on 30 June 2014. GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: Possible memory corruption during connect (CVE-2014-3466) Multiple boundary check issues could allow DoS (CVE-2014-3467) asn1_get_bit_der() can return negative bit length (CVE-2014-3468) Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issues: CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Cause Multiple GnuTLS related security vulnerabilities. Disclaimer This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU7oeABLndAQH1ShLAQJY+A/8CxJjap3IRVJUX4NYSgAhTwfYQAnh0lXr UBbPWkjeI6r8b3i2G9Z5Jfbu5GyyBZl091pKtlA+tOEFN0PThDAgVCrDcdhXUJG8 sfMHyCP1fd2uJV0axRN0IQyZRuBokaDyPEi4gVfWw4U9nokEb810feY9WiTa+AYi KuYNyDiQ+QRibM2ShkQ5oT6nuEWTgznBLBP8nQnZzBnB1qMZ1dcFZzGerS6/zIuS oVHZ1eKl06EeS+wxEaijT/Vay9iyRbjJQUFAe3ptvFz3V8/OF+miHRUjBtFzkQyM AzhN14rJnOPvRHEs8I8JS43kjF4X11sqRdDte4k6QpBakKquwk8OTDK38dy+OWrn anuWkYAQuAYCVUd1SaSLF6kbKoPCaGi/Qib+YvsY/VyjaRld89Pdj5itlW4BSO1D hLWUbU8R0kcmCaKNMebR3hIpbrULPkdfXzJ86HO084zPTDDzc9shXmLEABmrk4Uu qWZ9AfC1xVf3hS9CtEKjDUEBtnIqcR0cLnPbVCqYOcQ6W1WqhdoakDVryA2BtICu RvrD3NYo8ikskJ3SxXlpALjmg2S/i5861zYbdKwXzfJiMvm/YyNm/5QKUQBGKAAG bf9Q/85KTfP3xiWeHqW0Kl3UOKB0X5kAayZ7/u3o4/CDlUNsGTsGtG2clKhKZrx8 F6h1AKOMclM= =Cjrz -----END PGP SIGNATURE-----