====================================================================

                                 CERT-Renater

                    Note d'Information No. 2017/VULN011
_____________________________________________________________________

DATE                : 16/01/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GNUTLS versions prior to 3.3.26,
                                           3.5.8.

=====================================================================
https://gnutls.org/security.html#GNUTLS-SA-2017-1
https://gnutls.org/security.html#GNUTLS-SA-2017-2
____________________________________________________________________

GNUTLS-SA-2017-1

Description   Memory corruption


Information

It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
specially crafted X.509 certificate with Proxy Certificate Information
extension present could lead to a double free. This issue was fixed in
GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26,
3.5.8 or later versions.


GNUTLS-SA-2017-2

Description    Memory corruption

Information
It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
specially crafted OpenPGP certificate could lead to heap and stack
overflows. This issue was fixed in GnuTLS 3.3.26 and 3.5.8.
Recommendation: The support of OpenPGP certificates in GnuTLS is
considered obsolete. As such, it is not recommended to use OpenPGP
certificates with GnuTLS. To address the issues found upgrade to GnuTLS
3.3.26, 3.5.8 or later versions.
	
==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================