- About Security Advisories
This page lists security vulnerabilities (of varying levels) analysed before 2018 where the new security issue handling process was effective.
- Reporting security problems
Report non-public reports to the issue tracker as confidential, or send an email to the bug report mail address.
Advisories before 2018
| Tag | Other identifiers | Description | Information |
|---|---|---|---|
GNUTLS-SA-2017-4 |
Crash | It was found using the TLS fuzzer tools that decoding a status response TLS extension with valid contents could lead to a crash due to a null pointer dereference. The issue affects GnuTLS server applications. The issue was fixed in 3.5.13. Recommendation: To address the issues found upgrade to GnuTLS 3.5.13 or later versions. | |
GNUTLS-SA-2017-3 |
CVE-2017-7869 | Memory corruption | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificates could lead to (A) an integer overflow, resulting to an invalid memory write, (B) a null pointer dereference resulting to a server crash, and (C) a large allocation, resulting to a server out-of-memory condition. These affect only applications which utilize the OpenPGP certificate functionality of GnuTLS. The issues were fixed in 3.5.10. Recommendation: The support of OpenPGP certificates in GnuTLS is considered obsolete. As such, it is not recommended to use OpenPGP certificates with GnuTLS. To address the issues found upgrade to GnuTLS 3.5.10 or later versions. |
GNUTLS-SA-2017-2 |
CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 | Memory corruption | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. This affects only applications which utilize the OpenPGP certificate functionality of GnuTLS. This issue was fixed in GnuTLS 3.3.26 and 3.5.8. Recommendation: The support of OpenPGP certificates in GnuTLS is considered obsolete. As such, it is not recommended to use OpenPGP certificates with GnuTLS. To address the issues found upgrade to GnuTLS 3.3.26, 3.5.8 or later versions. |
GNUTLS-SA-2017-1 |
CVE-2017-5334 | Memory corruption | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. This issue was fixed in GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26, 3.5.8 or later versions. |
GNUTLS-SA-2016-3 |
CVE-2016-7444 | OCSP validation issue | Stefan Bühler discovered an issue that affects validation
of certificates using OCSP responses, which can falsely report a certificate
as valid under certain circumstances.
That issue affects gnutls 3.3.24, 3.4.14, 3.5.3 and previous versions.
Write-up by Stefan Bühler |
GNUTLS-SA-2016-2 |
Certificate verification issue | We discoverd a vulnerability that affects certificate verification when GnuTLS is used in combination with the p11-kit trust module. That issue affects gnutls 3.3.23, 3.4.12 and later versions. Who is affected by this vulnerability?
How to mitigate the vulnerability?
| |
GNUTLS-SA-2016-1 |
CVE-2016-4456 | File overwrite by setuid programs | Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions. |
GNUTLS-SA-2015-4 |
CVE-2015-3308 | Double free in CRL distribution points decoding of a certificate | Robert Święcki reported that decoding a specially crafted certificate with certain CRL distribution points format can lead to a double free. This issue was fixed in GnuTLS 3.3.14. Recommendation: Upgrade to GnuTLS 3.3.14, or later versions. |
GNUTLS-SA-2015-3 |
CVE-2015-6251 | Double free in certificate DN decoding | Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may result to a denial of
service. Since the DN decoding occurs in almost all applications using
certificates it is recommended to upgrade the latest GnuTLS version
fixing the issue. Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17. |
GNUTLS-SA-2015-2 |
No CVE assigned | ServerKeyExchange signature issue | Karthikeyan Bhargavan
reported that a ServerKeyExchange signature
sent by the server is not verified to be in the acceptable by the client
set of algorithms. That has the effect of allowing MD5 signatures
(which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can
be exploited because a fraudulent signature has to be generated in real-time which is not
known to be possible. However, since attacks can only get better it is
recommended to update to a GnuTLS version which addresses the issue. Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15. |
GNUTLS-SA-2015-1 |
CVE-2015-0282 | Signature forgery | This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012).
These versions don't verify the RSA PKCS #1 signature algorithm to
match the signature algorithm in the certificate, leading to a potential
downgrade to a disallowed algorithm, such as MD5, without detecting it. Recommendation: Upgrade to GnuTLS 3.1.0, or later. A patch will be included in gnutls_2_12_x branch for the users of that version that cannot upgrade. |
GNUTLS-SA-2014-5 |
CVE-2014-8564 | Denial of service | Sean Burford reported that the encoding of elliptic curves parameters
GnuTLS 3 is vulnerable to a denial of service (heap
corruption). It affects clients and servers which print information about
the peer's public key, e.g., the key ID, and can be exploited via
a specially crafted X.509 certificate. Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28. |
GNUTLS-SA-2014-4 |
CVE-2014-3566 | Possible plaintext recovery | This is a vulnerability on the SSL 3.0 protocol (called POODLE), which can be
exploited when TLS clients use a non-standard insecure protocol
negotiation (it affects mostly browsers). Clients performing the
standard TLS handshake as documented by GnuTLS are not affected. Write-up by Nikos Recommendation: For clients using the documented handshake process no action is required. Clients that use the non-standard insecure negotiation should not negotiate SSL 3.0. In all cases it recommended to disable SSL 3.0 using a priority string such as "NORMAL:-VERS-SSL3.0". |
GNUTLS-SA-2014-3 |
CVE-2014-3466 | Memory corruption | This vulnerability affects the client side of the gnutls library. A server that
sends a specially crafted ServerHello could corrupt the memory of a requesting client. Analysis at radare.today Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.4) |
GNUTLS-SA-2014-2 |
CVE-2014-0092 | Certificate verification issue | A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat. Who is affected by this attack?
How are past sessions affected?
How to mitigate the attack?
|
GNUTLS-SA-2014-1 |
CVE-2014-1959 | Certificate verification issue | Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior). Who is affected by this attack?
How to mitigate the attack?
|
GNUTLS-SA-2013-3 |
CVE-2013-4466 | Denial of service | This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that
returns more 4 DANE entries could corrupt the memory of a requesting client. Recommendation: Upgrade to the latest gnutls version (3.1.16 or 3.2.6) |
GNUTLS-SA-2013-2 |
CVE-2013-2116 | Denial of service | This vulnerability affects gnutls 2.12.23 and its TLS record decoding. Recommendation: Apply the patch or upgrade to gnutls 3.x. |
GNUTLS-SA-2013-1 |
TLS CBC padding timing attack CVE-2013-1619 |
Possible plaintext recovery | Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information. In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times. Who is affected by this attack?
How to mitigate the attack?
|
GNUTLS-SA-2012-4 |
"CRIME" attack CVE-2012-4929 |
Possible plaintext recovery | There is an attack on TLS called "CRIME" which takes advantage of compression and may recover plaintext under certain circumstances. Who is affected by this attack?
How to mitigate the attack?
Security advisory A description of the attack Another analysis of the attack |
GNUTLS-SA-2012-3 |
CVE-2012-1569 | Denial of service | This vulnerability is in the libtasn1 library and affects the DER length decoding which is fixed in 2.12 release. Write-up by Mu Dynamics Recommendation: Upgrade to libtasn1 2.12. |
GNUTLS-SA-2012-2 |
CVE-2012-1573 | Possible buffer overflow/Denial of service | TLS record handling vulnerability fixed in GnuTLS 3.0.15. Write-up by Mu Dynamics Recommendation: Upgrade to GnuTLS 3.0.17 or 2.12.18. |
GNUTLS-SA-2012-1 |
CVE-2012-0390 | Timing attack (DTLS) |
Announcement of GnuTLS 3.0.11 The paper describing the attack This vulnerability allows an attacker to perform partial plaintext recovery using a timing attack in CBC-mode encryption. The attack is applicable to Datagram TLS (DTLS). Recommendation: Upgrade to GnuTLS 3.0.11. |
GNUTLS-SA-2011-2 |
CVE-2011-4128 | Possible buffer overflow/Denial of service |
Mailing list discussion
Note that this vulnerability is triggered by TLS clients that utilize the session resumption functions in a particular way. Clients that perform session resumption using the same steps as in the example code of GnuTLS documentation are not vulnerable. A preliminary analysis found no vulnerable clients. Recommendation: Upgrade to GnuTLS 3.0.7 or 2.12.14. |
GNUTLS-SA-2011-1 |
Rizzo attack on TLS | Plaintext recovery |
Mailing list discussion
Recommendation: Make use of TLS 1.1 or TLS 1.2 protocols that are not vulnerable to the attack. TLS 1.1 is enabled by default in GnuTLS since version 2.0.0 (released in 2007). If this is not possible, disable CBC ciphers. |
GNUTLS-SA-2010-1 |
CVE-2010-0731 | Remote Denial of Service |
RedHat bugzilla report Mailing list discussion This vulnerability is on a deprecated since 2006 version of GnuTLS. We keep the information here because this version was included in some distributions. Recommendation: Upgrade to the latest stable branch. |
GNUTLS-SA-2009-5 |
CERT VU#120541 CVE-2009-3555 |
Plaintext injection attack |
Mailing list discussion
Recommendation: Disable support for TLS renegotiation in application servers, or better upgrade to GnuTLS 2.10.x. |
GNUTLS-SA-2009-4 |
CVE-2009-2730 | False positive in certificate hostname validation |
Announcement of v2.8.3 that solves the problem. Analysis of the vulnerability and minimal patch. How to check if your GnuTLS library is vulnerable. Back-ported patches for earlier releases: [1] [2] Recommendation: Upgrade to GnuTLS 2.8.3 or later. |
GNUTLS-SA-2009-3 |
CVE-2009-1417 | No checking of certificate activation/expiration times | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: Upgrade to GnuTLS 2.6.6 or later. If you still use the 2.4.x branch or earlier branches, apply the patch. |
GNUTLS-SA-2009-2 |
CVE-2009-1416 | GnuTLS 2.6.x DSA keys are corrupt | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6. |
GNUTLS-SA-2009-1 |
CVE-2009-1415 | Double/invalid free in GnuTLS 2.6.x on certain errors | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6. |
GNUTLS-SA-2008-3 |
CVE-2008-4989 | Remote X.509 Trust Chain Validation error | Announcement of v2.6.1 and patch Detailed analysis Announcement of v2.6.2 and updated patch. Announcement of updated patch and 2.6.3 release candidate. Announcement of v2.6.3. Announcement of v2.6.4 and v2.4.3. Recommendation: Upgrade to GnuTLS 2.6.4 or, if you still use the 2.4.x branch, 2.4.3, or later. |
GNUTLS-SA-2008-2 |
CVE-2008-2377 | Local denial of service Server can trigger crash in GnuTLS clients? |
Announcement Detailed analysis and patch Another report that suggest it can be exploited by hostile servers Recommendation: Upgrade to GnuTLS 2.4.1 or apply the patch. |
GNUTLS-SA-2008-1 |
CERT-FI announcement CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 |
Remote Denial of Service | Announcement and Patch Updated announcement and Patch Recommendation: Upgrade to GnuTLS 2.2.5 or apply the patch in the second link. |
GNUTLS-SA-2006-4 |
CVE-2006-4790 (via NVD) |
False positive in verifying signature | Announcement Updated patch Original report Recommendation: Upgrade to GnuTLS 1.4.4. |
GNUTLS-SA-2006-3 |
None | Announcement Bleichenbacher's Crypto 98 paper Recommendation: No action required, see the post where this advisory is essentially withdrawn. |
|
GNUTLS-SA-2006-2 |
CVE-2006-7239 | Denial of service? | Details Recommendation: Upgrade to GnuTLS 1.4.2. |
GNUTLS-SA-2006-1 |
CVE-2006-0645 | Denial of service? | Libtasn1 Announcement Recommendation: Upgrade to Libtasn1 0.2.18 and GnuTLS 1.2.10 (stable) or 1.3.4 (experimental). |
GNUTLS-SA-2005-1 |
CVE-2005-1431 | Denial of service | Announcement Write-up by Éric Leblond Recommendation: Upgrade to GnuTLS 1.0.25 or 1.2.3. |