-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlzv4moACgkQZWnYVadE
vpMHCA/+MhPaeXBM+ifR5HYAEX6XSUkJrXfK+adqASdntrq2uPC899EeLxGrMqJ2
+1mz5T//zcjapm6H+08ZwnJnts7PGaKopSlik48iAW9Py1vJsaX5TiZSLZezZTDr
9x/WL0Tg5j63kjrQGQ+/Qo+vUr0E0AmzK7eHiapLhnmRbIZz08y1a0tYlGvCTQ6f
gZhqQVSH5ggaLAjYsPWg5R5HTdnpt5Rdd7VyjhLzTAI8VZbUm9fZ0CcEHg1Lt/Bd
v/jftCS6+Ys5J4/a34KiOWcz4BZMIXfpCpeNpptAonDhpXpFRRahMfRBL2FaUzyf
mnWI1YdWXegdLHaOIhKBn6FyoYGoT9AlWGn289Mpdxyd0XE4EsjGtyAiHTYDkGrd
2TCP0z21YBwy5Y/ylI87xS9cuLtoaxs6CHyvEkeF7o7b32W5Petmde0EmG0baD42
6kwN/BP9PGisNWpNZBOx+NpbOafyvEUMp7RrTyLXzHxJiCqOZuqHIIwMw5bIGx5/
cVCnHu4F68ucL8P5GhNrt67/epKRD+83H1znGtRHAZ4y4m3xeXhOuW5QG27BE92C
G+I6kgQFvUPAO0xwSPLbGhBzDGfJ6IBcLbOV89xZb8j2QP7FU8mqYjcRT4/GW5kl
C0/0itxfc2XXcfkz44+duIsghmYzLB95gmO0BC5RCVtK0VBudKQ=
=8mCm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3999-1
May 30, 2019
gnutls28 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GnuTLS.
Software Description:
- gnutls28: GNU TLS library
Details:
Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was
vulnerable to a timing side-channel attack known as the "Lucky Thirteen"
issue. A remote attacker could possibly use this issue to perform
plaintext-recovery attacks via analysis of timing data. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10844,
CVE-2018-10845, CVE-2018-10846)
Tavis Ormandy discovered that GnuTLS incorrectly handled memory when
verifying certain X.509 certificates. A remote attacker could use this
issue to cause GnuTLS to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3829)
It was discovered that GnuTLS incorrectly handled certain post-handshake
messages. A remote attacker could use this issue to cause GnuTLS to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3836)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
libgnutls30 3.6.5-2ubuntu1.1
Ubuntu 18.10:
libgnutls30 3.6.4-2ubuntu1.2
Ubuntu 18.04 LTS:
libgnutls30 3.5.18-1ubuntu1.1
Ubuntu 16.04 LTS:
libgnutls30 3.4.10-4ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3999-1
CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2019-3829,
CVE-2019-3836
Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.6.5-2ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.6.4-2ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.5.18-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.5
No comments:
Post a Comment