CVE-2014-0092
First published: Tue Feb 25 2014(Updated: )
It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification. When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure. A specially-crafted certificate can be accepted by GnuTLS as valid even if it wasn't issued by any trusted Certificate Authority. This can be used to perform man-in-the-middle attacks against applications using GnuTLS.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gnutls | <3.1.22 | 3.1.22 |
| redhat/gnutls | <3.2.12 | 3.2.12 |
| GNU GnuTLS | <=3.2.11 | |
| GNU GnuTLS | =3.2.0 | |
| GNU GnuTLS | =3.2.1 | |
| GNU GnuTLS | =3.2.2 | |
| GNU GnuTLS | =3.2.3 | |
| GNU GnuTLS | =3.2.4 | |
| GNU GnuTLS | =3.2.5 | |
| GNU GnuTLS | =3.2.6 | |
| GNU GnuTLS | =3.2.7 | |
| GNU GnuTLS | =3.2.8 | |
| GNU GnuTLS | =3.2.8.1 | |
| GNU GnuTLS | =3.2.9 | |
| GNU GnuTLS | =3.2.10 | |
| GNU GnuTLS | <=3.1.21 | |
| GNU GnuTLS | =3.1.0 | |
| GNU GnuTLS | =3.1.1 | |
| GNU GnuTLS | =3.1.2 | |
| GNU GnuTLS | =3.1.3 | |
| GNU GnuTLS | =3.1.4 | |
| GNU GnuTLS | =3.1.5 | |
| GNU GnuTLS | =3.1.6 | |
| GNU GnuTLS | =3.1.7 | |
| GNU GnuTLS | =3.1.8 | |
| GNU GnuTLS | =3.1.9 | |
| GNU GnuTLS | =3.1.10 | |
| GNU GnuTLS | =3.1.11 | |
| GNU GnuTLS | =3.1.12 | |
| GNU GnuTLS | =3.1.13 | |
| GNU GnuTLS | =3.1.14 | |
| GNU GnuTLS | =3.1.15 | |
| GNU GnuTLS | =3.1.16 | |
| GNU GnuTLS | =3.1.17 | |
| GNU GnuTLS | =3.1.18 | |
| GNU GnuTLS | =3.1.19 | |
| GNU GnuTLS | =3.1.20 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://gnutls.org/security.html#GNUTLS-SA-2014-2
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00020.html
- http://rhn.redhat.com/errata/RHSA-2014-0246.html
- http://rhn.redhat.com/errata/RHSA-2014-0247.html
- http://rhn.redhat.com/errata/RHSA-2014-0288.html
- http://rhn.redhat.com/errata/RHSA-2014-0339.html
- http://secunia.com/advisories/56933
- http://secunia.com/advisories/57103
- http://secunia.com/advisories/57204
- http://secunia.com/advisories/57254
- http://secunia.com/advisories/57260
- http://secunia.com/advisories/57274
- http://secunia.com/advisories/57321
- http://www.debian.org/security/2014/dsa-2869
- http://www.securityfocus.com/bid/65919
- http://www.ubuntu.com/usn/USN-2127-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1069865
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=867911&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=867911&action=edit
- http://lists.gnutls.org/pipermail/gnutls-devel/2014-March/006794.html
- http://lists.gnutls.org/pipermail/gnutls-devel/2014-March/006795.html
- https://www.gitorious.org/gnutls/gnutls/commit/855127da290a280df839038671ae6aba01957736
- https://www.gitorious.org/gnutls/gnutls/commit/a79aed24327cfb2771062956399d5a54ede1e923
- https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1071796
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1071795
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1071797
- https://rhn.redhat.com/errata/RHSA-2014-0247.html
- https://rhn.redhat.com/errata/RHSA-2014-0246.html
- https://rhn.redhat.com/errata/RHSA-2014-0288.html
- https://rhn.redhat.com/errata/RHSA-2014-0339.html
- agent/references
- agent/type
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0092
- agent/software-canonical-lookup
- agent/trending
- agent/tags
- agent/source
- vendor/gnu
- canonical/gnu gnutls
- version/gnu gnutls/3.2.11
- version/gnu gnutls/3.2.0
- version/gnu gnutls/3.2.1
- version/gnu gnutls/3.2.2
- version/gnu gnutls/3.2.3
- version/gnu gnutls/3.2.4
- version/gnu gnutls/3.2.5
- version/gnu gnutls/3.2.6
- version/gnu gnutls/3.2.7
- version/gnu gnutls/3.2.8
- version/gnu gnutls/3.2.8.1
- version/gnu gnutls/3.2.9
- version/gnu gnutls/3.2.10
- version/gnu gnutls/3.1.21
- version/gnu gnutls/3.1.0
- version/gnu gnutls/3.1.1
- version/gnu gnutls/3.1.2
- version/gnu gnutls/3.1.3
- version/gnu gnutls/3.1.4
- version/gnu gnutls/3.1.5
- version/gnu gnutls/3.1.6
- version/gnu gnutls/3.1.7
- version/gnu gnutls/3.1.8
- version/gnu gnutls/3.1.9
- version/gnu gnutls/3.1.10
- version/gnu gnutls/3.1.11
- version/gnu gnutls/3.1.12
- version/gnu gnutls/3.1.13
- version/gnu gnutls/3.1.14
- version/gnu gnutls/3.1.15
- version/gnu gnutls/3.1.16
- version/gnu gnutls/3.1.17
- version/gnu gnutls/3.1.18
- version/gnu gnutls/3.1.19
- version/gnu gnutls/3.1.20
- package-manager/redhat