----- B a l a B i t S e c u r i t y A d v i s o r y ( B B S A ) ----- PACKAGE : gnutls11 AFFECTED VERSION : <= 1.0.16-13.2sarge1.zorpos1, <= 1.2.9-2ubuntu1.1 FIXED : 1.0.16-13.2sarge1.zorpos2, 1.2.9-2ubuntu1.1.zorpos33.1 SUMMARY : multiple vulnerabilities TYPE : remote AFFECTED : ZorpOS 3.1 ZORP-OS SPECIFIC : NO BBSA-AUTHOR : Tamás Pál BBSA-ID : BBSA-2008-022 BBSA-ADDRESS : advisory@balabit.hu GNUPG FINGERPRINT : 933E 6763 D32D A01C 1A75 F228 9CB1 81C7 D91E 8915 CVE : CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 DATE : May 21, 2008 ----------------------------------------------------------------------------- BACKGROUND: Several remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite. CVE-2008-1948: A pre-authentication heap overflow involving oversized session resumption data may lead to arbitrary code execution. CVE-2008-1949: Repeated client hellos may result in a pre-authentication denial of service condition due to a null pointer dereference. CVE-2008-1950: Decoding cipher padding with an invalid record length may cause GNUTLS to read memory beyond the end of the received record, leading to a pre-authentication denial of service condition. SOLUTION: We recommend that you update the affected packages immediately. Upgrading using apt: ~~~~~~~~~~~~~~~~~~~~ Add the following line to /etc/apt/sources.list (if it doesn't contain this line already) ZorpOS version 3.1: deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \ zorp-os-3.1/3.1security zorp-os zorp-os-extra ZorpOS version 3.3: deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \ zorp-os-3.3/3.3security zorp-os zorp-os-extra then issue the following commands as root: apt-get update apt-get -u upgrade The latest upgrades will be downloaded and installed. REFERENCES: http://www.debian.org/security/2008/dsa-1581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950