Ubuntu alert USN-3999-1 (gnutls28)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-3999-1] GnuTLS vulnerabilities | |
| Date: | Thu, 30 May 2019 10:02:18 -0400 | |
| Message-ID: | <9821b90e-7a0e-5b94-1a9b-e375c0e44133@canonical.com> |
========================================================================== Ubuntu Security Notice USN-3999-1 May 30, 2019 gnutls28 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in GnuTLS. Software Description: - gnutls28: GNU TLS library Details: Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could possibly use this issue to perform plaintext-recovery attacks via analysis of timing data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846) Tavis Ormandy discovered that GnuTLS incorrectly handled memory when verifying certain X.509 certificates. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3829) It was discovered that GnuTLS incorrectly handled certain post-handshake messages. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3836) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: libgnutls30 3.6.5-2ubuntu1.1 Ubuntu 18.10: libgnutls30 3.6.4-2ubuntu1.2 Ubuntu 18.04 LTS: libgnutls30 3.5.18-1ubuntu1.1 Ubuntu 16.04 LTS: libgnutls30 3.4.10-4ubuntu1.5 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3999-1 CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2019-3829, CVE-2019-3836 Package Information: https://launchpad.net/ubuntu/+source/gnutls28/3.6.5-2ubun... https://launchpad.net/ubuntu/+source/gnutls28/3.6.4-2ubun... https://launchpad.net/ubuntu/+source/gnutls28/3.5.18-1ubu... https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubu... -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...