CVE-2005-1431
CVSS5.0
发布时间 :2005-05-03 00:00:00
修订时间 :2010-08-21 00:28:51
NMCOPS    

[原文]The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.


[CNNVD]GNUTLS Padding拒绝服务漏洞(CNNVD-200505-874)

        GnuTLS 1.2的1.2.3之前版本和1.0的1.0.25之前版本中的"记录包解析"使得远程攻击者可以发起拒绝服务攻击,可能与gnutils_cipher.c中的填充字节有关。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnu:gnutls:1.0.22GNU GnuTLS 1.0.22
cpe:/a:gnu:gnutls:1.0.24GNU GnuTLS 1.0.24
cpe:/a:gnu:gnutls:1.0.23GNU GnuTLS 1.0.23
cpe:/a:gnu:gnutls:1.0.19GNU GnuTLS 1.0.19
cpe:/a:gnu:gnutls:1.2.2GNU GnuTLS 1.2.2
cpe:/a:gnu:gnutls:1.0.21GNU GnuTLS 1.0.21
cpe:/a:gnu:gnutls:1.2.1GNU GnuTLS 1.2.1
cpe:/a:gnu:gnutls:1.0.20GNU GnuTLS 1.0.20
cpe:/a:gnu:gnutls:1.2.0GNU GnuTLS 1.2.0
cpe:/a:gnu:gnutls:1.0.18GNU GnuTLS 1.0.18

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9238The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1431
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1431
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-874
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/20328
(UNKNOWN)  XF  gnutls-record-parsing-dos(20328)
http://www.securityfocus.com/bid/13477
(UNKNOWN)  BID  13477
http://www.osvdb.org/16054
(UNKNOWN)  OSVDB  16054
http://securitytracker.com/id?1013861
(UNKNOWN)  SECTRACK  1013861
http://secunia.com/advisories/15193
(UNKNOWN)  SECUNIA  15193
http://lists.gnupg.org/pipermail/gnutls-dev/2005-April/000858.html
(UNKNOWN)  MLIST  [gnutls-dev] 20050428 GnuTLS 1.2.3 and 1.0.25
http://www.redhat.com/support/errata/RHSA-2005-430.html
(UNKNOWN)  REDHAT  RHSA-2005:430

- 漏洞信息

GNUTLS Padding拒绝服务漏洞
中危 其他
2005-05-03 00:00:00 2005-10-20 00:00:00
远程  
        GnuTLS 1.2的1.2.3之前版本和1.0的1.0.25之前版本中的"记录包解析"使得远程攻击者可以发起拒绝服务攻击,可能与gnutils_cipher.c中的填充字节有关。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        GNU GnuTLS 1.0
        GNU gnutls-1.0.25.tar.gz
        ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.0.25.tar.gz
        GNU GnuTLS 1.0.1
        GNU gnutls-1.0.25.tar.gz
        ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.0.25.tar.gz
        GNU GnuTLS 1.0.14
        GNU gnutls-1.0.25.tar.gz
        ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.0.25.tar.gz
        GNU GnuTLS 1.0.15
        GNU gnutls-1.0.25.tar.gz
        ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.0.25.tar.gz
        GNU GnuTLS 1.0.16
        GNU gnutls-1.0.25.tar.gz
        ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.0.25.tar.gz
        Ubuntu gnutls-bin_1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_ 1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu gnutls-bin_1.0.16-13ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_ 1.0.16-13ubuntu0.1_i386.deb
        Ubuntu gnutls-bin_1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_ 1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu gnutls-bin_1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_ 1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu libgnutls11-dbg_1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11 -dbg_1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu libgnutls11-dbg_1.0.16-13ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11 -dbg_1.0.16-13ubuntu0.1_i386.deb
        Ubuntu libgnutls11-dbg_1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11 -dbg_1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu libgnutls11-dbg_1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11 -dbg_1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu libgnutls11-dev_1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev _1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu libgnutls11-dev_1.0.16-13ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev _1.0.16-13ubuntu0.1_i386.deb
        Ubuntu libgnutls11-dev_1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev _1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu libgnutls11-dev_1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev _1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu libgnutls11_1.0.16-13ubuntu0.1_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0 .16-13ubuntu0.1_amd64.deb
        Ubuntu libgnutls11_1.0.16-13ubuntu0.1_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0 .16-13ubuntu0.1_i386.deb
        Ubuntu libgnutls11_1.0.16-13ubuntu0.1_ia64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0 .16-13ubuntu0.1_ia64.deb
        Ubuntu libgnutls11_1.0.16-13ubuntu0.1_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0 .16-13ubuntu0.1_powerpc.deb
        GNU GnuTLS 1.0.17
        Fedora gnutls-1.0.20-3.1.1.i386.rpm
        RedHat Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        Fedora gnutls-1.0.20-3.1.1.x86_64.rpm
        RedHat Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        Fedora gnutls-debuginfo-1.0.20-3.1.1.i386.rpm
        RedHat Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        Fedora gnutls-debuginfo-1.0.20-3.1.1.x86_64.rpm
        RedHat Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        Fedora gnutls-devel-1.0.20-3.1.1.i386.rpm
        RedHat Fedora Core 3
        http://download.fedora.redhat.com/pub

- 漏洞信息 (F38551)

Ubuntu Security Notice 126-1 (PacketStormID:F38551)
2005-07-08 00:00:00
Ubuntu  ubuntu.com
advisory,denial of service
linux,ubuntu
CVE-2005-1431
[点击下载]

Ubuntu Security Notice USN-126-1 - A denial of service vulnerability was discovered in the GNU TLS library, which provides common cryptographic algorithms and is used by many applications in Ubuntu. Due to a missing sanity check of the padding length field, specially crafted ciphertext blocks caused an out of bounds memory access which could crash the application. It was not possible to exploit this to execute any attacker specified code.

===========================================================
Ubuntu Security Notice USN-126-1	       May 13, 2005
gnutls11, gnutls10 vulnerability
CAN-2005-1431
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libgnutls10
libgnutls11
libgnutls11-dbg

The problem can be corrected by upgrading the affected package to
version 1.0.4-3ubuntu1.1 (for Ubuntu 4.10), or 1.0.16-13ubuntu0.1 (for
Ubuntu 5.04).  For most desktop applications, a standard system
upgrade is sufficient to effect the necessary changes. However, if you
are using server and long running applications that use libgnutls
(cupsys, exim4, Gaim), you must restart them manually. If you can
afford to reboot your machine, this is the easiest way to ensure that
all services using this library are restarted correctly.

Details follow:

A Denial of Service vulnerability was discovered in the GNU TLS
library, which provides common cryptographic algorithms and is used by
many applications in Ubuntu. Due to a missing sanity check of the
padding length field, specially crafted ciphertext blocks caused an
out of bounds memory access which could crash the application. It was
not possible to exploit this to execute any attacker specified code.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4-3ubuntu1.1.diff.gz
      Size/MD5:    49877 a421703ee46eaba0ac70a6d892069139
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4-3ubuntu1.1.dsc
      Size/MD5:      863 831a452e9369be66097d520579a66354
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/gnutls10_1.0.4.orig.tar.gz
      Size/MD5:  1378290 565d2835b772008689476488265f4e99

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls-doc_1.0.4-3ubuntu1.1_all.deb
      Size/MD5:   553460 77af9be62e963e2771ff3ce9259dd086

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   193656 11b33a8fff25292ac2ae1b680de3c006
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   367136 a5a4b023309977a4ac05abaf400ef65a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_amd64.deb
      Size/MD5:   309288 9030fd065858abe487993fff229d9c61

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   185176 6e27b1181c07ec15991bf30b227d559f
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   328650 9a3ef7584be77d7d6dbd136032f55e89
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_i386.deb
      Size/MD5:   279368 3f8c3b8ed3b96649c2a973846bc824f0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls10/gnutls-bin_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   195926 f0f90f8b4c004a70019a7188c78a2ffc
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10-dev_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   396076 88fba2e88301873bb674e34a398a1af4
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls10/libgnutls10_1.0.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   284662 71c918cd7d3b1e445ac43be2705c1723

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16-13ubuntu0.1.diff.gz
      Size/MD5:   337831 08f61cd8a964751d06c208237985ac7b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16-13ubuntu0.1.dsc
      Size/MD5:      814 40bd2f5530ed7d27f5f6c8dcce325a4a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/gnutls11_1.0.16.orig.tar.gz
      Size/MD5:  1504638 7b410fa3c563c7988e434a8c8671b3cd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   217154 74e29f9aa85a515c7cf387a9a77ad901
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   574984 9a68ba7e194b594265e48c81cea0c5d6
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   392034 bbbe41cdaac3a4402124be97b0b905f5
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_amd64.deb
      Size/MD5:   326610 4b973b460ab26e7c61fe66c99e745c37

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   203144 9997faa5bbfc8f2181856ad51d4fb82a
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   554796 e0730689824c59ccdc5285c1ec801043
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   356846 fb313893aa729272b5e12a8c9b0da5db
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_i386.deb
      Size/MD5:   293072 aa53297d5112cb6d40805256b1427384

  ia64 architecture (Intel Itanium)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   258640 5eb86c32dbc2181ba54f2522e6fa2f5b
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   585292 db08a7b1ac9e5b9e1ab2bf964d18162c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   521564 827ea4039e5b2b1e06e0c4c27ff7bc16
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_ia64.deb
      Size/MD5:   384526 45bd4f99407f7cae773b4c7302927df4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/gnutls-bin_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   218072 6c76d07dc561da7a749a3bf72a4f14a3
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls11/libgnutls11-dbg_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:  1417598 470ec82e16a7937bf2cb66586181cae0
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11-dev_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   388428 0f628a18a2f3c4b01bc7ac1da8e9fd5e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnutls11/libgnutls11_1.0.16-13ubuntu0.1_powerpc.deb
      Size/MD5:   299128 8810c5d0fe0c2b3780f2ce9d0a1058e1

    

- 漏洞信息 (F38411)

Gentoo Linux Security Advisory 200505-4 (PacketStormID:F38411)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-1431
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-04 - A vulnerability has been discovered in the record packet parsing in the GnuTLS library. Additionally, a flaw was also found in the RSA key export functionality. Versions less than 1.2.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: GnuTLS: Denial of Service vulnerability
      Date: May 09, 2005
      Bugs: #90726
        ID: 200505-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The GnuTLS library is vulnerable to Denial of Service attacks.

Background
==========

GnuTLS is a free TLS 1.0 and SSL 3.0 implementation for the GNU
project.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  net-libs/gnutls       < 1.2.3                            >= 1.2.3
                                                            *>= 1.0.25

Description
===========

A vulnerability has been discovered in the record packet parsing in the
GnuTLS library. Additionally, a flaw was also found in the RSA key
export functionality.

Impact
======

A remote attacker could exploit this vulnerability and cause a Denial
of Service to any application that utilizes the GnuTLS library.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GnuTLS users should remove the existing installation and upgrade to
the latest version:

    # emerge --sync
    # emerge --unmerge gnutls
    # emerge --ask --oneshot --verbose net-libs/gnutls

Due to small API changes with the previous version, please do the
following to ensure your applications are using the latest GnuTLS that
you just emerged.

    # revdep-rebuild --soname-regexp libgnutls.so.1[0-1]

Previously exported RSA keys can be fixed by executing the following
command on the key files:

    # certtool -k infile outfile

References
==========

  [ 1 ] GnuTLS Announcement
        http://lists.gnupg.org/pipermail/gnutls-dev/2005-April/000858.html
  [ 2 ] CAN-2005-1431
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1431

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

16054
GnuTLS Record Packet Parsing Unspecified DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

GnuTLS contains a flaw that may allow a remote denial of service. The issue is due to an error in the record packet parsing routines, and will result in loss of availability for the platform. No further details have been provided.

- 时间线

2005-04-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.25, 1.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNUTLS Padding Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 13477
Yes No
2005-05-03 12:00:00 2007-02-28 12:46:00
The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
GNU GnuTLS 1.2
GNU GnuTLS 1.0.17
GNU GnuTLS 1.0.16
GNU GnuTLS 1.0.15
GNU GnuTLS 1.0.14
GNU GnuTLS 1.0.9
GNU GnuTLS 1.0.8
GNU GnuTLS 1.0.7
GNU GnuTLS 1.0.6
GNU GnuTLS 1.0.5
GNU GnuTLS 1.0.4
GNU GnuTLS 1.0.3
GNU GnuTLS 1.0.2
GNU GnuTLS 1.0.1
GNU GnuTLS 1.0
Gentoo Linux
GNU GnuTLS 1.2.3
GNU GnuTLS 1.0.25
+ Red Hat Fedora Core4

- 不受影响的程序版本

GNU GnuTLS 1.2.3
GNU GnuTLS 1.0.25
+ Red Hat Fedora Core4

- 漏洞讨论

GnuTLS is prone to a denial-of-service vulnerability. A remote attacker can send specifically designed data to cause a flaw in the parsing, leading to denial-of-service conditions.

This issue has been addressed in GnuTLS versions 1.0.25 and 1.2.3; earlier versions are vulnerable.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

The vendor has addressed this issue in GnuTLS versions 1.0.25 and 1.2.3.

Please see the referenced advisories for more information.


GNU GnuTLS 1.0

GNU GnuTLS 1.0.1

GNU GnuTLS 1.0.14

GNU GnuTLS 1.0.15

GNU GnuTLS 1.0.16

GNU GnuTLS 1.0.17

GNU GnuTLS 1.0.2

GNU GnuTLS 1.0.3

GNU GnuTLS 1.0.4

GNU GnuTLS 1.0.5

GNU GnuTLS 1.0.6

GNU GnuTLS 1.0.7

GNU GnuTLS 1.0.8

GNU GnuTLS 1.0.9

GNU GnuTLS 1.2

Mandriva Linux Mandrake 10.1

Mandriva Linux Mandrake 10.1 x86_64

Mandriva Linux Mandrake 10.2 x86_64

Mandriva Linux Mandrake 10.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站