Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-180-1 gnutls26

Debian Security Advisory

DLA-180-1 gnutls26 -- LTS security update

Date Reported:

25 Mar 2015

Affected Packages:

gnutls26

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-8155, CVE-2015-0282, CVE-2015-0294.

More information:

Multiple vulnerabilities have been discovered in GnuTLS, a library implementing the TLS and SSL protocols. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2014-8155

  Missing date/time checks on CA certificates

• CVE-2015-0282

  GnuTLS does not verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm without detecting it.

• CVE-2015-0294

  GnuTLS does not check whether the two signature algorithms match on certificate import.

For Debian 6 Squeeze, these issues have been fixed in gnutls26 version 2.8.6-1+squeeze5