Multiple vulnerabilities might allow for the execution of arbitrary code in daemons using GnuTLS.
|Package||net-libs/gnutls on all architectures|
|Affected versions||< 2.2.5|
|Unaffected versions||>= 2.2.5|
GnuTLS is an implementation of Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0, 1.1 and 1.2.
Ossi Herrala and Jukka Taimisto of Codenomicon reported three vulnerabilities in libgnutls of GnuTLS:
Unauthenticated remote attackers could exploit these vulnerabilities to cause Denial of Service conditions in daemons using GnuTLS. The first vulnerability (CVE-2008-1948) might allow for the execution of arbitrary code with the privileges of the daemon handling incoming TLS connections.
There is no known workaround at this time.
All GnuTLS users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.2.5"
May 21, 2008
May 21, 2008: 01