Jun 16, 2014

How To Upgrade GnuTLS to 3.2.15 To Fix The Latest Critical Security Flaw

I swear to the sweet baby Jesus that if it isn't one thing it's another in network security. First there was Heartbleed that caused all my company's banking clients to flip their shit. Everything was cool on my end because all of our Linux servers used GnuTLS or Windows IIS. Heartbleed only affected OpenSSL users.

Well ZDNet recently reported on a major flaw with GnuTLS! Crap! From ZDNet:

According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.

"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.
According to the article the only versions not affected are 3.1.25, 3.2.15 or 3.3.3. Checking the repositories for Ubuntu, the only version of Ubuntu that contains a GnuTLS version that is not susceptible to the bug is Utopic Unicorn (14.10) which hasn't been released yet. Crap! The version in the Utopic repositories is currently 3.2.15.

That leaves two options:
  1. Download and install from source
  2. Update your apt sources to use Utopic Unicorn's repositories
I went with the later on my personal mail server because it was easier. You may want to do number one because changing the the Utopic Repositories will update everything, not just GnuTLS. I like to live dangerously though, so this is what I did:
  • Change into your /etc/apt directory

    cd /etc/apt
  • Create a backup of your sources.list file

    cp sources.list sources.list.bak
  • Edit sources.list with your favorite text editor

    nano sources.list
  • Replace your current version's name with utopic. I tested this on 12.04, so I replaced precise with utopic
  • Save sources.list then update apt

    apt-get update
  • Next upgrade!

    apt-get upgrade
If you get an error saying:
dpkg: error: configuration error: /etc/dpkg/dpkg.cfg.d/multiarch:1: unknown option 'foreign-architecture'
E: Sub-process /usr/bin/dpkg returned an error code (2)
What you need to do is remove the /etc/dpkg/dpkg.cfg.d/multiarch file, then you can run sudo apt-get -f install to fixanything you're missing.

After doing this I ran gnutls-cli -v and received the following output:
gnutls-cli 3.2.15
Copyright (C) 2000-2014 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>
Boom! GnuTLS 3.2.15! Hack me now!

In all honesty, and for stability purposes the method in this article probably isn't the recommended way. You should probably just install from source...

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam