Security Advisory Moderate: gnutls security, bug fix, and enhancement update

Advisory: RHSA-2017:0574-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-03-21
Last updated on: 2017-03-21
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2016-8610
CVE-2017-5335
CVE-2017-5336
CVE-2017-5337

Details

An update for gnutls is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library,
which implements cryptographic algorithms and protocols such as SSL, TLS, and
DTLS.

The following packages have been upgraded to a later upstream version: gnutls
(2.12.23). (BZ#1321112, BZ#1326073, BZ#1415682, BZ#1326389)

Security Fix(es):

* A denial of service flaw was found in the way the TLS/SSL protocol defined
processing of ALERT packets during a connection handshake. A remote attacker
could use this flaw to make a TLS/SSL server consume an excessive amount of CPU
and fail to accept connections form other clients. (CVE-2016-8610)

* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An
attacker could create specially crafted OpenPGP certificates which, when parsed
by gnutls, would cause it to crash. (CVE-2017-5335, CVE-2017-5336,
CVE-2017-5337)

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise
Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked
from the References section.


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
gnutls-2.12.23-21.el6.src.rpm     MD5: 1ec45d9c0890c2ae440ba51c1a189320
SHA-256: 3cb26c2a02f2190a69603d8c8e4e5f6864f54a57142f28438ac01e49449c7724
 
IA-32:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-utils-2.12.23-21.el6.i686.rpm     MD5: c744b002d5b776800b05253874ff0338
SHA-256: ee9b27bdbd8dbf3753a5c36ecdc32918f7b0bbb791b39520786810781c53d599
 
x86_64:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-2.12.23-21.el6.x86_64.rpm     MD5: 0a465f3fbd86157bfd20ecc7fdbf9901
SHA-256: 3be2e2f0fc6708755b317c03b5cc7740472868e03c61d27c9feca3fde777f1fc
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-debuginfo-2.12.23-21.el6.x86_64.rpm     MD5: 7bb223f075881251a8927d8affcd7b2e
SHA-256: 7c00cc8e291739671c616472ba42d58b45220922259e141f75166ae7e91cfa61
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-devel-2.12.23-21.el6.x86_64.rpm     MD5: 76ed6b219e773acccbd7045994b0d9a1
SHA-256: 0f33cd771da1b3615b4361622b2cff5993059673f5e81d573fb903d9b55d7289
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-guile-2.12.23-21.el6.x86_64.rpm     MD5: 8e28b83c12a6736e029d4efe3983323f
SHA-256: 0785d1bc45b975bf67ad399df1c0755b87c28269b4ef8c8159fe9b4c7a1f4dd9
gnutls-utils-2.12.23-21.el6.x86_64.rpm     MD5: d4ab72ecdb81da8ed1898d5136c927cf
SHA-256: 7c140308048bbf3d5ca641c51411018817d64a0ec7ce4a0319dba251d99ca693
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
gnutls-2.12.23-21.el6.src.rpm     MD5: 1ec45d9c0890c2ae440ba51c1a189320
SHA-256: 3cb26c2a02f2190a69603d8c8e4e5f6864f54a57142f28438ac01e49449c7724
 
x86_64:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-2.12.23-21.el6.x86_64.rpm     MD5: 0a465f3fbd86157bfd20ecc7fdbf9901
SHA-256: 3be2e2f0fc6708755b317c03b5cc7740472868e03c61d27c9feca3fde777f1fc
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-debuginfo-2.12.23-21.el6.x86_64.rpm     MD5: 7bb223f075881251a8927d8affcd7b2e
SHA-256: 7c00cc8e291739671c616472ba42d58b45220922259e141f75166ae7e91cfa61
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-devel-2.12.23-21.el6.x86_64.rpm     MD5: 76ed6b219e773acccbd7045994b0d9a1
SHA-256: 0f33cd771da1b3615b4361622b2cff5993059673f5e81d573fb903d9b55d7289
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-guile-2.12.23-21.el6.x86_64.rpm     MD5: 8e28b83c12a6736e029d4efe3983323f
SHA-256: 0785d1bc45b975bf67ad399df1c0755b87c28269b4ef8c8159fe9b4c7a1f4dd9
gnutls-utils-2.12.23-21.el6.x86_64.rpm     MD5: d4ab72ecdb81da8ed1898d5136c927cf
SHA-256: 7c140308048bbf3d5ca641c51411018817d64a0ec7ce4a0319dba251d99ca693
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
gnutls-2.12.23-21.el6.src.rpm     MD5: 1ec45d9c0890c2ae440ba51c1a189320
SHA-256: 3cb26c2a02f2190a69603d8c8e4e5f6864f54a57142f28438ac01e49449c7724
 
IA-32:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-utils-2.12.23-21.el6.i686.rpm     MD5: c744b002d5b776800b05253874ff0338
SHA-256: ee9b27bdbd8dbf3753a5c36ecdc32918f7b0bbb791b39520786810781c53d599
 
PPC:
gnutls-2.12.23-21.el6.ppc.rpm     MD5: 7f29f99c149916b2e50d80521facdf73
SHA-256: 0dd37cbd621c3c504bb75d3bfde821bc0d23fbb6d4205f76fb7002dac8de7104
gnutls-2.12.23-21.el6.ppc64.rpm     MD5: 310bfa560cf09be82ad5806e04c4eb3d
SHA-256: 93cf374f1ddb61e797ce9e6cf8bc80a04f666ef1d23b7f16ca4d29e1a12bc716
gnutls-debuginfo-2.12.23-21.el6.ppc.rpm     MD5: a9a5fc6c58f87888d6e98f841772f2aa
SHA-256: 08cc860b3c992012f4eac656d1ed8c89183a9f1eba3796e597214dfa978d1156
gnutls-debuginfo-2.12.23-21.el6.ppc64.rpm     MD5: d9b0ca3455258397b8c3aa5580636bb4
SHA-256: 2e7ca2177c6e00a85a31fede770de3af4e3167c549b231d6d16c83946ccf7f94
gnutls-devel-2.12.23-21.el6.ppc.rpm     MD5: 13e1f7cd74f562d4dd12c6a5e2a8f013
SHA-256: 9368cac4eac5abbad18724e04f225a84d3ca5df3093b0362a23f722d0563a586
gnutls-devel-2.12.23-21.el6.ppc64.rpm     MD5: 5146df1c3cd06352c80a65e9f3a8f815
SHA-256: 7c51d0afb166453599c42f8078df17c5562eddc6c2c04f3c9b31ffc43a4b6c4c
gnutls-guile-2.12.23-21.el6.ppc.rpm     MD5: 923aedcaf056a7ed76385872482a6a68
SHA-256: 1e1a3cd8611628848e995d1ee304c1ec8ff2eb452862c8d0a0f30ca76b085992
gnutls-guile-2.12.23-21.el6.ppc64.rpm     MD5: 633c55b64ca0015ed7dd5045e7ce7544
SHA-256: 1f2844d2f41cd2034ac75546f009f49d6a6b47ab400f623803fddaa071e67740
gnutls-utils-2.12.23-21.el6.ppc64.rpm     MD5: e008ef7d15faa6ed772d3c229f956fce
SHA-256: 6654bd8e141ec2f37fa05ca1a9d30c057cdb29dca04194260cb38e9591733670
 
s390x:
gnutls-2.12.23-21.el6.s390.rpm     MD5: 63e361aee8640bd3814d05d972efc32f
SHA-256: fb1432f17bbe8a8cc3be00bffa0abde07f352a9e0dbdbf37a7c38d020abc6e24
gnutls-2.12.23-21.el6.s390x.rpm     MD5: 3ddf880425b5aa5eeadb813dc2a23fb1
SHA-256: 2c4c5af9a17f9df02e6abfd48aabf4a4c37a89aff132c72d58d15586cc400d86
gnutls-debuginfo-2.12.23-21.el6.s390.rpm     MD5: 30ed32880efc443c6f635e8c92f7eebc
SHA-256: 658fb5bb6d56a474e92f57d116470d9db92ba71c9d99af552a7676579d73b824
gnutls-debuginfo-2.12.23-21.el6.s390x.rpm     MD5: 9c85edc3e0ef12329ac04310c072916d
SHA-256: 7d856105f6380db32aad07ff55237c80a40f8595540e2de70e783bc718581554
gnutls-devel-2.12.23-21.el6.s390.rpm     MD5: 5c55f4bb7788e44b20c7064f516cd80c
SHA-256: 7f9d115f2714bc60866f10089c7c6b2ee6a4210e99b9b9771ad973f0d8cc6a8f
gnutls-devel-2.12.23-21.el6.s390x.rpm     MD5: ac3afb019713f82065818b79a829818f
SHA-256: 80e2cc2e7d5e1f332f0141514d18b544d51ca17835f7c8d4df0fccf4b6632ced
gnutls-guile-2.12.23-21.el6.s390.rpm     MD5: ceae37030f322f00751c3b77928fea91
SHA-256: d02e108dc6dc2071c4c43e0580bb012648e88c845e16d90531acf73362169756
gnutls-guile-2.12.23-21.el6.s390x.rpm     MD5: 31ab6af90b7453871030a5eff84a6e0d
SHA-256: c5b878deba7752eef09da6d2042f814f25906aa318c56c3bb6a8a9e070248972
gnutls-utils-2.12.23-21.el6.s390x.rpm     MD5: faf380c72ac7674a9692679e08be483d
SHA-256: eefc0a5ea614d92e26bf228ec84d8f57d12f76b8241b6b3e7f5f07aaefac77ef
 
x86_64:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-2.12.23-21.el6.x86_64.rpm     MD5: 0a465f3fbd86157bfd20ecc7fdbf9901
SHA-256: 3be2e2f0fc6708755b317c03b5cc7740472868e03c61d27c9feca3fde777f1fc
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-debuginfo-2.12.23-21.el6.x86_64.rpm     MD5: 7bb223f075881251a8927d8affcd7b2e
SHA-256: 7c00cc8e291739671c616472ba42d58b45220922259e141f75166ae7e91cfa61
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-devel-2.12.23-21.el6.x86_64.rpm     MD5: 76ed6b219e773acccbd7045994b0d9a1
SHA-256: 0f33cd771da1b3615b4361622b2cff5993059673f5e81d573fb903d9b55d7289
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-guile-2.12.23-21.el6.x86_64.rpm     MD5: 8e28b83c12a6736e029d4efe3983323f
SHA-256: 0785d1bc45b975bf67ad399df1c0755b87c28269b4ef8c8159fe9b4c7a1f4dd9
gnutls-utils-2.12.23-21.el6.x86_64.rpm     MD5: d4ab72ecdb81da8ed1898d5136c927cf
SHA-256: 7c140308048bbf3d5ca641c51411018817d64a0ec7ce4a0319dba251d99ca693
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
gnutls-2.12.23-21.el6.src.rpm     MD5: 1ec45d9c0890c2ae440ba51c1a189320
SHA-256: 3cb26c2a02f2190a69603d8c8e4e5f6864f54a57142f28438ac01e49449c7724
 
IA-32:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-utils-2.12.23-21.el6.i686.rpm     MD5: c744b002d5b776800b05253874ff0338
SHA-256: ee9b27bdbd8dbf3753a5c36ecdc32918f7b0bbb791b39520786810781c53d599
 
x86_64:
gnutls-2.12.23-21.el6.i686.rpm     MD5: 1bb88a9cc83aa9abebb7eb1d21337c13
SHA-256: d17873048a3e8dc8a40d69c76ccc093994c2a3d1effe565c1f9b3e88c797ef1e
gnutls-2.12.23-21.el6.x86_64.rpm     MD5: 0a465f3fbd86157bfd20ecc7fdbf9901
SHA-256: 3be2e2f0fc6708755b317c03b5cc7740472868e03c61d27c9feca3fde777f1fc
gnutls-debuginfo-2.12.23-21.el6.i686.rpm     MD5: 541eceab56bee32d4641a716c5a63508
SHA-256: a285bcd67e61cafb229a3d61ee3a8bd265d7ec953f40e029f8c6cebc47a426e3
gnutls-debuginfo-2.12.23-21.el6.x86_64.rpm     MD5: 7bb223f075881251a8927d8affcd7b2e
SHA-256: 7c00cc8e291739671c616472ba42d58b45220922259e141f75166ae7e91cfa61
gnutls-devel-2.12.23-21.el6.i686.rpm     MD5: 55e9658179c701ed3419b121ac565f77
SHA-256: 25eb97d0c0abd5cf61d623f46496c0a2931415ec4e6f95d36dde6d8f00e1721c
gnutls-devel-2.12.23-21.el6.x86_64.rpm     MD5: 76ed6b219e773acccbd7045994b0d9a1
SHA-256: 0f33cd771da1b3615b4361622b2cff5993059673f5e81d573fb903d9b55d7289
gnutls-guile-2.12.23-21.el6.i686.rpm     MD5: 0554b7b185ee91badff1656a778c41fd
SHA-256: a3c8380ddcbaddd5e75bee0154e52f4a379d81f0b0a9b3acd0c06fb2df95c9db
gnutls-guile-2.12.23-21.el6.x86_64.rpm     MD5: 8e28b83c12a6736e029d4efe3983323f
SHA-256: 0785d1bc45b975bf67ad399df1c0755b87c28269b4ef8c8159fe9b4c7a1f4dd9
gnutls-utils-2.12.23-21.el6.x86_64.rpm     MD5: d4ab72ecdb81da8ed1898d5136c927cf
SHA-256: 7c140308048bbf3d5ca641c51411018817d64a0ec7ce4a0319dba251d99ca693
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1320982 - ASSERT failure in gnutls-cli-debug
1321112 - DHE_DSS ciphers don't work with client certificates and OpenSSL using TLSv1.2
1323215 - gnutls-serv --http crashes with client certificates with NSS client
1326073 - GnuTLS prefers SHA-1 signatures in TLSv1.2
1326389 - GnuTLS server does not accept SHA-384 and SHA-512 Certificate Verify signatures despite advertising support for them
1326886 - GnuTLS server rejects connections that do not advertise support for SHA-1 signature algorithms
1327656 - gnutls-serv: closing connection without sending an Alert message
1328205 - gnutls-cli won't send certificates that don't match hashes in Certificate Request
1333521 - Provide ability to set the expected server name in gnutls-serv utility
1335924 - gnutls: Disable TLS connections with less than 1024-bit DH parameters
1337460 - Disable/remove export ciphersuites in GnuTLS
1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
1411836 - CVE-2017-5337 gnutls: Heap read overflow in read-packet.c
1412235 - CVE-2017-5335 gnutls: Out of memory while parsing crafted OpenPGP certificate
1412236 - CVE-2017-5336 gnutls: Stack overflow in cdk_pk_get_keyid
1415682 - Changes introduced by rebase to 2.12.23 break API and ABI compatibility for some libraries


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/