CVE-2008-1949

Name of the Vulnerable Software and Affected Versions gnutls versions prior to 2.2.5 gnutls-32bit (affected versions not specified) gnutls-64bit (affected versions not specified) gnutls-devel (affected versions not specified) gnutls-devel-32bit (affected versions not specified) gnutls-devel-64bit (affected versions not specified) gnutls-debuginfo (affected versions not specified) gnutls-x86 (affected versions not specified)

Description The issue is related to multiple vulnerabilities in the gnutls package, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The gnutls recv client kx message function in lib/gnutls kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, allowing remote attackers to cause a denial of service via a TLS message containing multiple Client Hello messages.

Recommendations As a temporary workaround, consider disabling the gnutls recv client kx message function until a patch is available. Restrict access to the vulnerable gnutls package to minimize the risk of exploitation. Avoid using the gnutls package until the issue is resolved. For versions prior to 2.2.5, update to a version that contains the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability for the following: gnutls-32bit, gnutls-64bit, gnutls-devel, gnutls-devel-32bit, gnutls-devel-64bit, gnutls-debuginfo, gnutls-x86.