From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1935-1
[email protected] http://www.debian.org/security/ Giuseppe Iuculano November 17th, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Packages : gnutls13 gnutls26
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
Debian bug : 541439
CVE Ids : CVE-2009-2409 CVE-2009-2730
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2730)
In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. It only affects the oldstable distribution (etch).(CVE-2009-2409)
For the oldstable distribution (etch), these problems have been fixed in version
1.4.4-3+etch5 for gnutls13.
For the stable distribution (lenny), these problems have been fixed in version 2.4.2-6+lenny2 for gnutls26.
For the testing distribution (squeeze), and the unstable distribution (sid), these problems have been fixed in version 2.8.3-1 for gnutls26.
We recommend that you upgrade your gnutls13/gnutls26 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4.orig.tar.gz
Size/MD5 checksum: 4752009 c06ada020e2b69caa51833175d59f8b2
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch5.dsc
Size/MD5 checksum: 968 0d1e0d44616d6f6a53b6c1f567849f56
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch5.diff.gz
Size/MD5 checksum: 22775 f6ddd230b956dec89fccf43ea9f64c20
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch5_all.deb
Size/MD5 checksum: 2320326 d29321b23395f3bd314b9eee58f351e3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_alpha.deb
Size/MD5 checksum: 524412 3cec75cb5cc88eb5232c4f29690daf9c
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch5_alpha.deb
Size/MD5 checksum: 196642 9c9f57aad568b9a401d6c1d01d2d7b8d
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch5_alpha.deb
Size/MD5 checksum: 328464 e5323045e55edea08408bfb9b47d31bc
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_alpha.deb
Size/MD5 checksum: 547790 454e9579fc03822ba624f1b95a2233db
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_amd64.deb
Size/MD5 checksum: 389592 c223bf87fc20485989fac3d45781479e
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_amd64.deb
Size/MD5 checksum: 539538 aa4f2394318c69cfb830b0b9ff60910f
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch5_amd64.deb
Size/MD5 checksum: 183748 179c1000c3fb9eb03ccc4e4d13be31b7
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch5_amd64.deb
Size/MD5 checksum: 314988 147a2771b4a5ec7f0d96b261568876a9
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_arm.deb
Size/MD5 checksum: 511366 a4d8c9026f1796c25cb2b7c52ef2a3ed
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch5_arm.deb
Size/MD5 checksum: 170044 b6bde115c495dce839a52c7429f0dbf2
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_arm.deb
Size/MD5 checksum: 355394 dd804a20100e1ea6e952822f10f7439b
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch5_arm.deb
Size/MD5 checksum: 283498 d1812b33b152335943b56b27766b06b1
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch5_hppa.deb
Size/MD5 checksum: 184760 2c91694636ada0deaf3d6bf5282b2e39
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_hppa.deb
Size/MD5 checksum: 435846 9aca168f530875a37e2f642e4eedf8d7
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_hppa.deb
Size/MD5 checksum: 522290 0c7d5b25764b7417614b060bfd75ba0b
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch5_hppa.deb
Size/MD5 checksum: 313032 8ce1083248396d54bfa7e5e48d8d539f
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_i386.deb
Size/MD5 checksum: 361204 cebc5c072963706a77e1de7a4e3007ff
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_i386.deb
Size/MD5 checksum: 526762 fc875479e7073f653d1861466b161c4f
http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch5_i386.deb
Size/MD5 checksum: 283234 e631928f6b98dfb87101c95a3ef05d5b
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)