865804 – (CVE-2014-0092) VUL-0: CVE-2014-0092: gnutls: insufficient X.509 certificate verification

Bug 865804 (CVE-2014-0092) - VUL-0: CVE-2014-0092: gnutls: insufficient X.509 certificate verification

Summary: VUL-0: CVE-2014-0092: gnutls: insufficient X.509 certificate verification

Status:	RESOLVED FIXED

Alias:	CVE-2014-0092

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Major
Target Milestone:	---
Deadline:	2014-03-05
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:56455 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-02-26 13:00 UTC by Alexander Bergmann
Modified:	2015-02-18 20:35 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 22 Bernhard Wiedemann 2014-03-03 10:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (865804) was mentioned in
https://build.opensuse.org/request/show/224392 Factory / gnutls

Comment 23 Bernhard Wiedemann 2014-03-03 11:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (865804) was mentioned in
https://build.opensuse.org/request/show/224403 12.3 / gnutls

Comment 25 Shawn Chang 2014-03-03 16:06:06 UTC

Submitted the patches for SLE-12/Factory/13.1/12.3...This submit is including enable ECC support. Re-assigning it to security team.

Comment 26 Bernhard Wiedemann 2014-03-03 17:00:23 UTC

This is an autogenerated message for OBS integration:
This bug (865804) was mentioned in
https://build.opensuse.org/request/show/224509 13.1 / gnutls

Comment 27 Marcus Meissner 2014-03-03 19:44:39 UTC

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7341

http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.

Who is affected by this attack?

    Anyone using certificate authentication in any version of GnuTLS.

Comment 28 Swamp Workflow Management 2014-03-03 20:46:34 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)

Comment 29 Swamp Workflow Management 2014-03-03 20:49:27 UTC

Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)

Comment 30 Swamp Workflow Management 2014-03-03 20:52:11 UTC

Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)

Comment 31 Swamp Workflow Management 2014-03-03 21:00:58 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-64bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-HAE 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 32 Swamp Workflow Management 2014-03-03 21:03:05 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)

Comment 33 Swamp Workflow Management 2014-03-03 21:04:20 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 34 Swamp Workflow Management 2014-03-03 21:04:41 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-devel
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 35 Swamp Workflow Management 2014-03-04 00:04:36 UTC

SUSE-SU-2014:0319-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (critical)
Bug References: 835760,865804,865993
CVE References: CVE-2009-5138,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    gnutls-2.4.1-24.39.49.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    gnutls-2.4.1-24.39.49.1
SUSE Linux Enterprise Server 11 SP3 (src):    gnutls-2.4.1-24.39.49.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    gnutls-2.4.1-24.39.49.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    gnutls-2.4.1-24.39.49.1

Comment 36 Swamp Workflow Management 2014-03-04 00:06:34 UTC

SUSE-SU-2014:0320-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (critical)
Bug References: 536809,554084,659128,739898,753301,754223,802651,821818,865804,865993
CVE References: CVE-2009-5138,CVE-2011-4108,CVE-2012-0390,CVE-2012-1569,CVE-2012-1573,CVE-2013-0169,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    gnutls-1.2.10-13.38.1

Comment 37 Swamp Workflow Management 2014-03-04 00:06:59 UTC

SUSE-SU-2014:0321-1: An update that solves one vulnerability and has one errata is now available.

Category: security (critical)
Bug References: 865804,865993
CVE References: CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    gnutls-1.2.10-13.38.1

Comment 38 Swamp Workflow Management 2014-03-04 00:08:06 UTC

SUSE-SU-2014:0322-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (critical)
Bug References: 760265,802651,821818,835760,865804,865993
CVE References: CVE-2009-5138,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gnutls-2.4.1-24.39.49.1

Comment 39 Swamp Workflow Management 2014-03-04 00:08:41 UTC

SUSE-SU-2014:0323-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (critical)
Bug References: 835760,865804,865993
CVE References: CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    gnutls-2.4.1-24.39.49.1

Comment 40 Swamp Workflow Management 2014-03-04 13:04:21 UTC

Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Comment 41 Swamp Workflow Management 2014-03-04 13:46:53 UTC

Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)

Comment 42 Marcus Meissner 2014-03-04 15:53:07 UTC

opensuse updates still in the queeu, but progressing.

otherwise done

Comment 43 Swamp Workflow Management 2014-03-04 17:04:21 UTC

SUSE-SU-2014:0324-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 865804
CVE References: CVE-2014-0092
Sources used:
SUSE CORE 9 (src):    gnutls-1.0.8-26.30

Comment 44 Swamp Workflow Management 2014-03-05 07:04:20 UTC

openSUSE-SU-2014:0325-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 865804
CVE References: CVE-2014-0092
Sources used:
openSUSE 13.1 (src):    gnutls-3.2.4-2.14.1

Comment 45 Swamp Workflow Management 2014-03-05 18:04:21 UTC

openSUSE-SU-2014:0328-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 865804
CVE References: CVE-2014-0092
Sources used:
openSUSE 12.3 (src):    gnutls-3.0.28-1.4.1

Comment 46 Swamp Workflow Management 2014-03-08 18:04:22 UTC

openSUSE-SU-2014:0346-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 865804
CVE References: CVE-2013-1619,CVE-2014-0092
Sources used:
openSUSE 11.4 (src):    gnutls-2.8.6-5.25.1

Comment 47 Swamp Workflow Management 2014-03-25 14:46:21 UTC

Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SUSE-MANAGER 1.7 (x86_64)

Comment 48 Swamp Workflow Management 2014-03-25 18:04:58 UTC

SUSE-SU-2014:0445-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 835760,865804,865993
CVE References: CVE-2009-5138,CVE-2014-0092
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    gnutls-2.4.1-24.39.49.1