SB2014061304 - SUSE Linux update for GnuTLS
Published: June 13, 2014
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2014-3466)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.
2) Input validation error (CVE-ID: CVE-2014-3467)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.
3) Input validation error (CVE-ID: CVE-2014-3468)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
4) Input validation error (CVE-ID: CVE-2014-3469)
The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.
Remediation
Install update from vendor's website.