CVE-2009-1415

Name of the Vulnerable Software and Affected Versions GnuTLS versions prior to 2.6.6

Description The issue concerns multiple vulnerabilities in the GnuTLS package that can be exploited remotely, potentially leading to breaches of confidentiality, integrity, and availability of protected information. Specifically, in GnuTLS before version 2.6.6, the lib/pk-libgcrypt.c file does not properly handle invalid DSA signatures. This can allow remote attackers to cause a denial of service, such as an application crash, and possibly have other unspecified impacts by using a malformed DSA key. This malformed key can trigger either the free of an uninitialized pointer or a double free.

Recommendations For versions prior to 2.6.6, update to version 2.6.6 or later to resolve the issue. As a temporary workaround, consider restricting access to lib/pk-libgcrypt.c or disabling the handling of DSA signatures until a patch is available. Avoid using malformed DSA keys in the affected API endpoints until the issue is resolved.