Vulnerability Description
The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Gnutls | 1.0.18 |
Related Weaknesses (CWE)
References
- http://git.savannah.gnu.org/gitweb/?p=gnutls.git%3Ba=commitdiff%3Bh=bc8102405fda
- http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00051.html
- http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00055.html
- http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00003.html
- http://secunia.com/advisories/30287Vendor Advisory
- http://secunia.com/advisories/30302Vendor Advisory
- http://secunia.com/advisories/30317Vendor Advisory
- http://secunia.com/advisories/30324Vendor Advisory
- http://secunia.com/advisories/30330Vendor Advisory
- http://secunia.com/advisories/30331Vendor Advisory
- http://secunia.com/advisories/30338Vendor Advisory
- http://secunia.com/advisories/30355
- http://secunia.com/advisories/31939
- http://security.gentoo.org/glsa/glsa-200805-20.xml
FAQ
What is CVE-2008-1949?
CVE-2008-1949 is a vulnerability with a CVSS score of 9.3 (HIGH). The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already ...
How severe is CVE-2008-1949?
CVE-2008-1949 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-1949?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls.