GnuTLS vulnerability now fixed in many linux distributions

Earlier this week, a new security vulnerability was discovered in the GnuTLS SSL/TLS library.
The vulnerability, indexed as CVE-2014-0092 or GNUTLS-SA-2014-2, affects the code responsible for verification of X.509 certificates and could potentially allow eavesdropping of encrypted network traffic.

The good news for linux users and system administrators is that the problem has been resolved in GnuTLS version 3.2.12.
Fixes are already available for most enterprise and desktop linux distributions, and patches have been published in the version 2.12.x git tree.
However, as both Ars Technica  and Tom’s Guide have suggested, the vulnerability might affect more than just linux servers and workstations.
As a matter of fact, any application or appliance relying on a pre-3.2.12 version of GnuTLS is vulnerable and will require an update..

Here’s a collection of related advisories for linux distributions:

Debian
http://www.debian.org/security/2014/dsa-2869

Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=1071795

Red Hat
https://www.redhat.com/security/data/cve/CVE-2014-0092.html

Suse
http://support.novell.com/security/cve/CVE-2014-0092.html

Ubuntu
http://www.ubuntu.com/usn/usn-2127-1/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s