Amazon Linux 1 Security Advisory: ALAS-2015-575
Advisory Release Date: 2015-08-04 11:36 Pacific
Advisory Updated Date: 2015-08-04 17:48 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired. (CVE-2014-8155)
It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification. (CVE-2015-0282)
It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check. (CVE-2015-0294)
Affected Packages:
gnutls
Issue Correction:
Run yum update gnutls to update your system.
i686:
gnutls-2.8.5-18.14.amzn1.i686
gnutls-debuginfo-2.8.5-18.14.amzn1.i686
gnutls-devel-2.8.5-18.14.amzn1.i686
gnutls-guile-2.8.5-18.14.amzn1.i686
gnutls-utils-2.8.5-18.14.amzn1.i686
src:
gnutls-2.8.5-18.14.amzn1.src
x86_64:
gnutls-debuginfo-2.8.5-18.14.amzn1.x86_64
gnutls-guile-2.8.5-18.14.amzn1.x86_64
gnutls-utils-2.8.5-18.14.amzn1.x86_64
gnutls-2.8.5-18.14.amzn1.x86_64
gnutls-devel-2.8.5-18.14.amzn1.x86_64