Debian DSA-1581-1 : gnutls13 - several vulnerabilities
Critical Nessus Plugin ID 32403
SynopsisThe remote Debian host is missing a security-related update.
DescriptionSeveral remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite.
NOTE: The libgnutls13 package, which provides the GNUTLS library, does not contain logic to automatically restart potentially affected services. You must restart affected services manually (mainly Exim, using '/etc/init.d/exim4 restart') after applying the update, to make the changes fully effective. Alternatively, you can reboot the system.
The Common Vulnerabilities and Exposures project identifies the following problems :
- CVE-2008-1948 A pre-authentication heap overflow involving oversized session resumption data may lead to arbitrary code execution.
- CVE-2008-1949 Repeated client hellos may result in a pre-authentication denial of service condition due to a NULL pointer dereference.
- CVE-2008-1950 Decoding cipher padding with an invalid record length may cause GNUTLS to read memory beyond the end of the received record, leading to a pre-authentication denial of service condition.
SolutionUpgrade the GNUTLS packages.
For the stable distribution (etch), these problems have been fixed in version 1.4.4-3+etch1. (Builds for the arm architecture are currently not available and will be released later.)