Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Mon, 19 May 2008 22:16:50 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: CVE ID request: GNUTLS

Several issues have been announced in GNUTLS-SA-2008-1:

*** [GNUTLS-SA-2008-1-1]
*** libgnutls: Fix crash when sending invalid server name.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server.  The bug
cause gnutls to store more session resumption data than what was
allocated for, thus overwriting unallocated memory.

*** [GNUTLS-SA-2008-1-2]
*** libgnutls: Fix crash when sending repeated client hellos.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server.  The bug
triggers a null-pointer dereference.

*** [GNUTLS-SA-2008-1-3]
*** libgnutls: Fix crash in cipher padding decoding for invalid record
*** lengths.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server.  The bug
cause gnutls to read memory beyond the end of the received record.

AFAIK, no CVE IDs have bee assigned yet.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux