Spotlight | Reviews | Current Issue | Newsletter | Subscribe | Contact |
News
Features
Blogs
RSS Feeds
White Papers
Conference Videos
Departments
Current Issue
Special Editions
Spotlight
Reviews
Event Calendar
Archives
Article Code

Partner Links
Website builder
WinWeb OnlineOffice
Shopping and price comparison with product reviews at dooyoo.co.uk

user friendly

CeBIT 2010

High-class talks around the clock in the Forum, non-commercial projects presenting their work, new developments at the largest IT fair in the world, CeBIT Open Source 2010 in Hanover, Germany.

Visit them in hall 2, March 2-6 or here.

  linux-magazine.com » Online » News » Two GnuTLS Bugfix Releases  

Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg

Two GnuTLS Bugfix Releases

May 21, 2008

The GnuTLS project has published two bugfix releases to close several vulnerabilities and resolve an error capable of interrupting connections.

The developers closed down three security holes in the GnuTLS encryption library in version 2.2.4, however, the release introduced a new bug. According to security researchers Secunia, the vulnerabilities closed by the 2.2.4 release were extremely critical.

Attackers could exploit the three bugs to perform denial of service attacks: a sign error in the "_gnutls_ciphertext2compressed()" function, which is part of the "lib/gnutls_cipher.c" library, led to a read/write error capable of crashing applications affected by it. Two further errors occurred in "Client Hello" message processing – attackers could exploit the first error by injecting a manipulated "Server Name" extension to trigger a heap based buffer overflow which could then be exploited to execute arbitrary code. The second error was a null pointer dereference that could cause the application to crash. All of these vulnerabilities were confirmed for all GnuTLS versions prior to 2.2.4.

Version 2.2.5 published the same day removes errors introduced by the developers in 2.2.4, mainly a bug that caused interruptions to service.

The stable release and patches for older versions are available for downloading from various mirror servers. For more information on the vulnerabilities by the developers themselves, visit the GnuTLS website.

(Jan Rähm)

Comments


Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg
Related Articles
First Bugfix Release for KDE 4
First Maintenance Update for Firefox 3
Debian Updates Lenny
Stable Kernel 2.6.22.2 Released
GnuTLS Version 2.0.0 Released
GCC 4.2.2 Fixes Bugs
FREE Live Streaming Video from ApacheCon US 2009

Watch our free Video Archive from Apachecon US 2009. Archive provided by The Apache Foundation, COLLABNET, and Linux Pro Magazine

Drawing internationally renowned thought-leaders, contributors, and organizations in the Open Source community, ApacheCon offers insight into the culture and community that develops and shepherds industry-leading Open Source projects, including Apache HTTP Server – the world's most popular Web server software for more than 10 years.

Find out more

 

In the US and Canada, Linux Magazine is known as Linux Pro Magazine.
Entire contents © 2010 [Linux New Media USA, LLC]
Linux New Media web sites:
North America: [Linux Pro Magazine]
UK/Worldwide: [Linux Magazine]
Germany: [Linux-Magazin] [LinuxUser] [EasyLinux] [Linux-Community] [Linux Technical Review]
Eastern Europe: [Linux Magazine Poland] [Linux Community Poland]
International: [Linux Magazine Brazil] [EasyLinux Brazil] [Linux Magazine Spanish]
Corporate: [Linux New Media AG]