Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 10.04 LTS and 14.04 LTS

Description

Several security issues were fixed in GnuTLS. This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don’t verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.

Affected Products and Versions

Severity is medium unless otherwise noted.

• The Cloud Foundry team is expecting to release a patched BOSH stemcell and Elastic Runtime release with an upgraded GnuTLS packages.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry team has determined that the project software is unlikely to be affected by the GnuTLS vulnerability and therefore do not require immediate updates. A future release of Cloud Foundry will update GnuTLS with the patched packages.

Credit

Nikos Mavrogiannopoulos

References

• http://www.ubuntu.com/usn/usn-2540-1/
• https://bosh.io/stemcells
• https://github.com/cloudfoundry/cf-release