-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1091
                          GnuTLS Security update
                                7 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GnuTLS
Publisher:         Novell
Operating System:  SUSE
                   OpenSUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3469 CVE-2014-3468 CVE-2014-3467
                   CVE-2014-3466  

Reference:         ESB-2014.1062
                   ESB-2014.0937
                   ESB-2014.0934
                   ESB-2014.0875
                   ESB-2014.0873
                   ESB-2014.0872
                   ESB-2014.0860

Original Bulletin: 
   http://www.novell.com/support/kb/doc.php?id=7015302
   http://www.novell.com/support/kb/doc.php?id=7015303

Comment: This bulletin contains two (2) Novell security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

GnuTLS Security update for Novell Open Enterprise Server 2 SP3.

Document ID:7015302 
Creation Date:01-JUL-14 
Modified Date:01-JUL-14 
Novell Open Enterprise Server 
SUSE SUSE Linux Enterprise Server

This document (7015302) is provided subject to the disclaimer at the end of 
this document.

Environment 

SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4) 
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3

Situation 

SUSE Linux Enterprise Server 10 SP4 General support has ended on 31
July 2013. 
Novell Open Enterprise Server 2 SP3 General support has ended on 31
July 2013.

A number of GnuTLS related Security Vulnerabilities were reported.

Due to the current extended support status for Novell Open Enterprise Server 2
SP3, the Novell and SUSE teams have closely collaborated to make these fix 
available for Novell OES2 SP3 customers.

Resolution

The oes2sp3-gnutls-8896 patch containing the mentioned fixes for SLES 10 SP4 
is released through the public OES2 SP3 patch repositories on 30 June 2014.

GnuTLS has been patched to ensure proper parsing of session ids during the 
TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been
fixed.

Further information is available at 
http://www.gnutls.org/security.html#GNUTLS-SA-2014-3

These security issues have been fixed:

Possible memory corruption during connect (CVE-2014-3466)
Multiple boundary check issues could allow DoS (CVE-2014-3467)
asn1_get_bit_der() can return negative bit length (CVE-2014-3468) 
Possible DoS by NULL pointer dereference (CVE-2014-3469)

Security Issues:

CVE-2014-3466 
CVE-2014-3467
CVE-2014-3468 
CVE-2014-3469

Cause Multiple GnuTLS related security vulnerabilities.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE 
customers and parties interested in our products and solutions to acquire 
information, ideas and learn from one another. Materials are provided for 
informational, personal or non-commercial use within your organization and are
presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

- -----------------------------------------------------------------------------
GnuTLS Security update for Novell Open Enterprise Server 11 SP1.

Document ID:7015303 
Creation Date:01-JUL-14 
Modified Date:01-JUL-14 
Novell Open Enterprise Server 
SUSE SUSE Linux Enterprise Server

This document (7015303) is provided subject to the disclaimer at the end of 
this document.

Environment 
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2) 
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1

Situation 
SUSE Linux Enterprise Server 11 SP2 General support has ended on 31
Jan 2014.
Novell Open Enterprise Server 11 SP1 General support ends on 29 Jan
2015.

A number of GnuTLS related Security Vulnerabilities were reported.

Due to the current support status for Novell Open Enterprise Server 11 SP1, 
the Novell and SUSE teams have closely collaborated to make these fix 
available for Novell OES11 SP1 customers.

Resolution

The oes11sp1-gnutls-9429 patch containing the mentioned fixes for SLES 11 SP2
is released through the public OES11 SP1 patch repositories on 30 June 2014.

GnuTLS has been patched to ensure proper parsing of session ids during the 
TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been
fixed.

Further information is available at 
http://www.gnutls.org/security.html#GNUTLS-SA-2014-3

These security issues have been fixed:

Possible memory corruption during connect (CVE-2014-3466)
Multiple boundary check issues could allow DoS (CVE-2014-3467)
asn1_get_bit_der() can return negative bit length (CVE-2014-3468) 
Possible DoS by NULL pointer dereference (CVE-2014-3469)

Security Issues:

CVE-2014-3466 
CVE-2014-3467 
CVE-2014-3468 
CVE-2014-3469

Cause Multiple GnuTLS related security vulnerabilities.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE 
customers and parties interested in our products and solutions to acquire 
information, ideas and learn from one another. Materials are provided for 
informational, personal or non-commercial use within your organization and are
presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU7oeABLndAQH1ShLAQJY+A/8CxJjap3IRVJUX4NYSgAhTwfYQAnh0lXr
UBbPWkjeI6r8b3i2G9Z5Jfbu5GyyBZl091pKtlA+tOEFN0PThDAgVCrDcdhXUJG8
sfMHyCP1fd2uJV0axRN0IQyZRuBokaDyPEi4gVfWw4U9nokEb810feY9WiTa+AYi
KuYNyDiQ+QRibM2ShkQ5oT6nuEWTgznBLBP8nQnZzBnB1qMZ1dcFZzGerS6/zIuS
oVHZ1eKl06EeS+wxEaijT/Vay9iyRbjJQUFAe3ptvFz3V8/OF+miHRUjBtFzkQyM
AzhN14rJnOPvRHEs8I8JS43kjF4X11sqRdDte4k6QpBakKquwk8OTDK38dy+OWrn
anuWkYAQuAYCVUd1SaSLF6kbKoPCaGi/Qib+YvsY/VyjaRld89Pdj5itlW4BSO1D
hLWUbU8R0kcmCaKNMebR3hIpbrULPkdfXzJ86HO084zPTDDzc9shXmLEABmrk4Uu
qWZ9AfC1xVf3hS9CtEKjDUEBtnIqcR0cLnPbVCqYOcQ6W1WqhdoakDVryA2BtICu
RvrD3NYo8ikskJ3SxXlpALjmg2S/i5861zYbdKwXzfJiMvm/YyNm/5QKUQBGKAAG
bf9Q/85KTfP3xiWeHqW0Kl3UOKB0X5kAayZ7/u3o4/CDlUNsGTsGtG2clKhKZrx8
F6h1AKOMclM=
=Cjrz
-----END PGP SIGNATURE-----