SB20170613100 - Null pointer dereference in gnutls (Alpine package)
Published: June 13, 2017
Security Bulletin ID
SB20170613100
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Null pointer dereference (CVE-ID: CVE-2017-7507)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to NULL pointer dereference while decoding a status response TLS extension with valid contents. A remote attacker can send specially crafted status_request extension in a ClientHello message to cause the GnuTLS server application to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4a0c4741e713ac2f2bff164ee6290e2b05b38337
- https://git.alpinelinux.org/aports/commit/?id=bf7ea3ddcb2fbbdd123dc032ad0390f251a53021
- https://git.alpinelinux.org/aports/commit/?id=58e74e8888824eacbceb6fab0e86a669b6f7b4a7
- https://git.alpinelinux.org/aports/commit/?id=5fbec35783cdcd6466d659d24270129ee8dd5e4c
- https://git.alpinelinux.org/aports/commit/?id=697b8b651803084fa8049221716ea4cc2caedaf2
- https://git.alpinelinux.org/aports/commit/?id=ff3bd82d90d2e9b5d9ae6eb6bd55659ee8d560ff
- https://git.alpinelinux.org/aports/commit/?id=dcfba7f9908f92103eca3e4ff7adf1e4367544b7
- https://git.alpinelinux.org/aports/commit/?id=1a7a0bb86ac263a19cc8a474a3cf99ef533f54a1
- https://git.alpinelinux.org/aports/commit/?id=e70623340aaf431d3acca55c9739230d554a0b17
- https://git.alpinelinux.org/aports/commit/?id=f6e9f6a1a399506bb539502f4b1a99ca6655db05
- https://git.alpinelinux.org/aports/commit/?id=d41da612f88d05e5f3c29088e6303e3bd3804b98
- https://git.alpinelinux.org/aports/commit/?id=1035d2568a61b1be21765c686e634f6e47458949