Advisories » MGASA-2015-0322

Updated gnutls packages fix security vulnerabilities

Publication date: 25 Aug 2015
Modification date: 25 Aug 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-0294 , CVE-2015-6251

Description

It was reported that GnuTLS does not check whether the two signature
algorithms match on certificate import (CVE-2015-0294).

Kurt Roeckx discovered that decoding a specific certificate with very long
DistinguishedName (DN) entries leads to double free. A remote attacker can
take advantage of this flaw by creating a specially crafted certificate that,
when processed by an application compiled against GnuTLS, could cause the
application to crash resulting in a denial of service (CVE-2015-6251).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15504
• https://www.debian.org/security/2015/dsa-3191
• https://www.debian.org/security/2015/dsa-3334
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6251

SRPMS

5/core

• gnutls-3.2.21-1.1.mga5

4/core

• gnutls-3.2.7-1.7.mga4