Synopsis: Moderate: gnutls security, bug fix, and enhancement
Advisory ID: SLSA-2017:2292-1
Issue Date: 2017-08-01
CVE Numbers: CVE-2017-5337
CVE-2017-5335
CVE-2017-5336
CVE-2016-7444
CVE-2017-5334
CVE-2017-7869
CVE-2017-7507
—
The following packages have been upgraded to a later upstream version:
gnutls (3.3.26).
Security Fix(es):
* A double-free flaw was found in the way GnuTLS parsed certain X.509
certificates with Proxy Certificate Information extension. An attacker
could create a specially-crafted certificate which, when processed by an
application compiled against GnuTLS, could cause that application to
crash. (CVE-2017-5334)
* Multiple flaws were found in the way gnutls processed OpenPGP
certificates. An attacker could create specially crafted OpenPGP
certificates which, when parsed by gnutls, would cause it to crash.
(CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, CVE-2017-7869)
* A null pointer dereference flaw was found in the way GnuTLS processed
ClientHello messages with status_request extension. A remote attacker
could use this flaw to cause an application compiled with GnuTLS to crash.
(CVE-2017-7507)
* A flaw was found in the way GnuTLS validated certificates using OCSP
responses. This could falsely report a certificate as valid under certain
circumstances. (CVE-2016-7444)
—
SL7
x86_64
gnutls-3.3.26-9.el7.i686.rpm
gnutls-3.3.26-9.el7.x86_64.rpm
gnutls-dane-3.3.26-9.el7.i686.rpm
gnutls-dane-3.3.26-9.el7.x86_64.rpm
gnutls-debuginfo-3.3.26-9.el7.i686.rpm
gnutls-debuginfo-3.3.26-9.el7.x86_64.rpm
gnutls-utils-3.3.26-9.el7.x86_64.rpm
gnutls-c++-3.3.26-9.el7.i686.rpm
gnutls-c++-3.3.26-9.el7.x86_64.rpm
gnutls-devel-3.3.26-9.el7.i686.rpm
gnutls-devel-3.3.26-9.el7.x86_64.rpm
– Scientific Linux Development Team
