Skip to navigation

Security Advisory Moderate: gnutls security update

Advisory: RHSA-2010:0166-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-25
Last updated on: 2010-03-25
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2009-2409
CVE-2009-3555

Details

Updated gnutls packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS).

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about
the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. GnuTLS
now disables the use of the MD2 algorithm inside signatures by default.
(CVE-2009-2409)

Users of GnuTLS are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all applications linked to the GnuTLS library must be restarted, or
the system rebooted.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
gnutls-1.4.1-3.el5_4.8.src.rpm     MD5: b1f44e6333f454cedc4e844788ab125c
SHA-256: c209372b01a3acde3de0d18e86640b4f65e822174b532f750231be66a0e71778
 
IA-32:
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
 
x86_64:
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm     MD5: db5e087872cd8abaab8c53611ff983a3
SHA-256: 3c39de96ec02585722e8881592cc7cce109fde03664f7a666038bc48f1513767
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
gnutls-1.4.1-3.el5_4.8.src.rpm     MD5: b1f44e6333f454cedc4e844788ab125c
SHA-256: c209372b01a3acde3de0d18e86640b4f65e822174b532f750231be66a0e71778
 
IA-32:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
gnutls-utils-1.4.1-3.el5_4.8.i386.rpm     MD5: f0053dcc3c00e42448fb8ed63ff36a74
SHA-256: eca94d51272e258cb88928defca80793d74b74eb11fd9f27eca8076596e22cc7
 
IA-64:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-1.4.1-3.el5_4.8.ia64.rpm     MD5: e72d605d162e58e17579179bf96b0279
SHA-256: cc5637964fcf756a2512cbc791e4720348a392e1564eba1ca007dd5caa44747a
gnutls-devel-1.4.1-3.el5_4.8.ia64.rpm     MD5: ead75d2fec084718c18b5ebcd747672a
SHA-256: 4242d3f6bcc99badd243c7addef3890ab51dfd96e04863c6963497af6dc1feca
gnutls-utils-1.4.1-3.el5_4.8.ia64.rpm     MD5: 16556e6e7146eb823602ddb82192873d
SHA-256: 6a6e4f3d6ea38f8021dbaab55e0f47daea67ac0747c4173fd3bb1b0cf2dbbb86
 
PPC:
gnutls-1.4.1-3.el5_4.8.ppc.rpm     MD5: 0da03571ec6f4dabd2cb0c9c1042773b
SHA-256: 27e6988241d73dcdf230a1b1ff7ea6ae6da84a4eb1fcb55e65e89f2b5f45083f
gnutls-1.4.1-3.el5_4.8.ppc64.rpm     MD5: 3fdeedf5627d69c5ac4ada00c8517635
SHA-256: 3840f4d00f72bde489f1b1b16cd2192881577ba77932ab1b7960fea1ca710a57
gnutls-devel-1.4.1-3.el5_4.8.ppc.rpm     MD5: c6e057677828132346bf1ceb3ebdbfbb
SHA-256: 2d80a0024a96901f5cc177d23190c7895947fa6015d67e7e62d07dabca676633
gnutls-devel-1.4.1-3.el5_4.8.ppc64.rpm     MD5: f7a1c42dd473b9acc9a32414708fee79
SHA-256: e472108c9f421d0d6417dce402b609c67b6f69f2aed00397fa1a91b5bb29d255
gnutls-utils-1.4.1-3.el5_4.8.ppc.rpm     MD5: a10ba7916427f1d8e9ecd7f7d05938fe
SHA-256: e7b11fe757a2a82772a9e58aa7afafeb3c9d1aec8187d393238ef899165f8629
 
s390x:
gnutls-1.4.1-3.el5_4.8.s390.rpm     MD5: f69fb02e6ab98b90e9417b792edcae35
SHA-256: c6fb5381002dff0ea89155820ba8c15988456de081d540cfc98e4c8e6cb7e0b2
gnutls-1.4.1-3.el5_4.8.s390x.rpm     MD5: 79ea70fd3cbb5cb6e09a40a689218707
SHA-256: 4626d34570e85d5c8a7bb277c17cf15d4181dfc48aade3b8550aac17c1201aef
gnutls-devel-1.4.1-3.el5_4.8.s390.rpm     MD5: d83fb754d84af8a2c6d321a0a0a33ec2
SHA-256: 82fac1518824406c01d88059302c6eb96c4e06174ec90e0aae171de25b0612bf
gnutls-devel-1.4.1-3.el5_4.8.s390x.rpm     MD5: 66dc397eb26b7413079d66ffe02da781
SHA-256: 7e24637d0a0920da92928cb3f05da4866fd5ee656b7271f216cce2b86d5408b8
gnutls-utils-1.4.1-3.el5_4.8.s390x.rpm     MD5: 3495ebf1dfbf51a59a727ff67aaf57cd
SHA-256: d905e632139326be552cb7782ca2bd98004b0661c581134d7a35da76e595cc3a
 
x86_64:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-1.4.1-3.el5_4.8.x86_64.rpm     MD5: 682a233fa23506a75a24345d1ba84ca1
SHA-256: 230d6a096a90338d2c085945c99612f78d7bdb88928a303b0459d273ba7e83ca
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm     MD5: db5e087872cd8abaab8c53611ff983a3
SHA-256: 3c39de96ec02585722e8881592cc7cce109fde03664f7a666038bc48f1513767
gnutls-utils-1.4.1-3.el5_4.8.x86_64.rpm     MD5: c85dd81c2036ab0da5ec3a2ed6309a40
SHA-256: d4d2f8aa08a47a13349a812b75ce4bc61be7ff8808c1ec050e5ef77fcc05dd48
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
gnutls-1.4.1-3.el5_4.8.src.rpm     MD5: b1f44e6333f454cedc4e844788ab125c
SHA-256: c209372b01a3acde3de0d18e86640b4f65e822174b532f750231be66a0e71778
 
IA-32:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-utils-1.4.1-3.el5_4.8.i386.rpm     MD5: f0053dcc3c00e42448fb8ed63ff36a74
SHA-256: eca94d51272e258cb88928defca80793d74b74eb11fd9f27eca8076596e22cc7
 
x86_64:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-1.4.1-3.el5_4.8.x86_64.rpm     MD5: 682a233fa23506a75a24345d1ba84ca1
SHA-256: 230d6a096a90338d2c085945c99612f78d7bdb88928a303b0459d273ba7e83ca
gnutls-utils-1.4.1-3.el5_4.8.x86_64.rpm     MD5: c85dd81c2036ab0da5ec3a2ed6309a40
SHA-256: d4d2f8aa08a47a13349a812b75ce4bc61be7ff8808c1ec050e5ef77fcc05dd48
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
gnutls-1.4.1-3.el5_4.8.src.rpm     MD5: b1f44e6333f454cedc4e844788ab125c
SHA-256: c209372b01a3acde3de0d18e86640b4f65e822174b532f750231be66a0e71778
 
IA-32:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
gnutls-utils-1.4.1-3.el5_4.8.i386.rpm     MD5: f0053dcc3c00e42448fb8ed63ff36a74
SHA-256: eca94d51272e258cb88928defca80793d74b74eb11fd9f27eca8076596e22cc7
 
IA-64:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-1.4.1-3.el5_4.8.ia64.rpm     MD5: e72d605d162e58e17579179bf96b0279
SHA-256: cc5637964fcf756a2512cbc791e4720348a392e1564eba1ca007dd5caa44747a
gnutls-devel-1.4.1-3.el5_4.8.ia64.rpm     MD5: ead75d2fec084718c18b5ebcd747672a
SHA-256: 4242d3f6bcc99badd243c7addef3890ab51dfd96e04863c6963497af6dc1feca
gnutls-utils-1.4.1-3.el5_4.8.ia64.rpm     MD5: 16556e6e7146eb823602ddb82192873d
SHA-256: 6a6e4f3d6ea38f8021dbaab55e0f47daea67ac0747c4173fd3bb1b0cf2dbbb86
 
PPC:
gnutls-1.4.1-3.el5_4.8.ppc.rpm     MD5: 0da03571ec6f4dabd2cb0c9c1042773b
SHA-256: 27e6988241d73dcdf230a1b1ff7ea6ae6da84a4eb1fcb55e65e89f2b5f45083f
gnutls-1.4.1-3.el5_4.8.ppc64.rpm     MD5: 3fdeedf5627d69c5ac4ada00c8517635
SHA-256: 3840f4d00f72bde489f1b1b16cd2192881577ba77932ab1b7960fea1ca710a57
gnutls-devel-1.4.1-3.el5_4.8.ppc.rpm     MD5: c6e057677828132346bf1ceb3ebdbfbb
SHA-256: 2d80a0024a96901f5cc177d23190c7895947fa6015d67e7e62d07dabca676633
gnutls-devel-1.4.1-3.el5_4.8.ppc64.rpm     MD5: f7a1c42dd473b9acc9a32414708fee79
SHA-256: e472108c9f421d0d6417dce402b609c67b6f69f2aed00397fa1a91b5bb29d255
gnutls-utils-1.4.1-3.el5_4.8.ppc.rpm     MD5: a10ba7916427f1d8e9ecd7f7d05938fe
SHA-256: e7b11fe757a2a82772a9e58aa7afafeb3c9d1aec8187d393238ef899165f8629
 
s390x:
gnutls-1.4.1-3.el5_4.8.s390.rpm     MD5: f69fb02e6ab98b90e9417b792edcae35
SHA-256: c6fb5381002dff0ea89155820ba8c15988456de081d540cfc98e4c8e6cb7e0b2
gnutls-1.4.1-3.el5_4.8.s390x.rpm     MD5: 79ea70fd3cbb5cb6e09a40a689218707
SHA-256: 4626d34570e85d5c8a7bb277c17cf15d4181dfc48aade3b8550aac17c1201aef
gnutls-devel-1.4.1-3.el5_4.8.s390.rpm     MD5: d83fb754d84af8a2c6d321a0a0a33ec2
SHA-256: 82fac1518824406c01d88059302c6eb96c4e06174ec90e0aae171de25b0612bf
gnutls-devel-1.4.1-3.el5_4.8.s390x.rpm     MD5: 66dc397eb26b7413079d66ffe02da781
SHA-256: 7e24637d0a0920da92928cb3f05da4866fd5ee656b7271f216cce2b86d5408b8
gnutls-utils-1.4.1-3.el5_4.8.s390x.rpm     MD5: 3495ebf1dfbf51a59a727ff67aaf57cd
SHA-256: d905e632139326be552cb7782ca2bd98004b0661c581134d7a35da76e595cc3a
 
x86_64:
gnutls-1.4.1-3.el5_4.8.i386.rpm     MD5: 1aac874d8f2e5dc40b44858d37f52176
SHA-256: 42336287a94513fe675caad5a1caa7ff3dcbd43976fedd8f136e8f18f1873909
gnutls-1.4.1-3.el5_4.8.x86_64.rpm     MD5: 682a233fa23506a75a24345d1ba84ca1
SHA-256: 230d6a096a90338d2c085945c99612f78d7bdb88928a303b0459d273ba7e83ca
gnutls-devel-1.4.1-3.el5_4.8.i386.rpm     MD5: 0ee89514e9da9b6b7af50e5b8f53c716
SHA-256: b95e6f0d887299cdf0e29ada46625b460544b16439318118835b9ac4100af400
gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm     MD5: db5e087872cd8abaab8c53611ff983a3
SHA-256: 3c39de96ec02585722e8881592cc7cce109fde03664f7a666038bc48f1513767
gnutls-utils-1.4.1-3.el5_4.8.x86_64.rpm     MD5: c85dd81c2036ab0da5ec3a2ed6309a40
SHA-256: d4d2f8aa08a47a13349a812b75ce4bc61be7ff8808c1ec050e5ef77fcc05dd48
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation


References

https://www.redhat.com/security/data/cve/CVE-2009-2409.html
https://www.redhat.com/security/data/cve/CVE-2009-3555.html
http://www.redhat.com/security/updates/classification/#moderate
http://kbase.redhat.com/faq/docs/DOC-20491

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/