How To Upgrade GnuTLS to 3.2.15 To Fix The Latest Critical Security Flaw

I swear to the sweet baby Jesus that if it isn't one thing it's another in network security. First there was Heartbleed that caused all my company's banking clients to flip their shit. Everything was cool on my end because all of our Linux servers used GnuTLS or Windows IIS. Heartbleed only affected OpenSSL users.

Well ZDNet recently reported on a major flaw with GnuTLS! Crap! From ZDNet:

According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.

"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.

According to the article the only versions not affected are 3.1.25, 3.2.15 or 3.3.3. Checking the repositories for Ubuntu, the only version of Ubuntu that contains a GnuTLS version that is not susceptible to the bug is Utopic Unicorn (14.10) which hasn't been released yet. Crap! The version in the Utopic repositories is currently 3.2.15.

That leaves two options:

1. Download and install from source
2. Update your apt sources to use Utopic Unicorn's repositories

I went with the later on my personal mail server because it was easier. You may want to do number one because changing the the Utopic Repositories will update everything, not just GnuTLS. I like to live dangerously though, so this is what I did:

• Change into your /etc/apt directory
  
  cd /etc/apt
• Create a backup of your sources.list file
  
  cp sources.list sources.list.bak
• Edit sources.list with your favorite text editor
  
  nano sources.list
• Replace your current version's name with utopic. I tested this on 12.04, so I replaced precise with utopic
• Save sources.list then update apt
  
  apt-get update
• Next upgrade!
  
  apt-get upgrade

If you get an error saying:

dpkg: error: configuration error: /etc/dpkg/dpkg.cfg.d/multiarch:1: unknown option 'foreign-architecture'
E: Sub-process /usr/bin/dpkg returned an error code (2)

What you need to do is remove the /etc/dpkg/dpkg.cfg.d/multiarch file, then you can run sudo apt-get -f install to fixanything you're missing.

After doing this I ran gnutls-cli -v and received the following output:

gnutls-cli 3.2.15
Copyright (C) 2000-2014 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>

Boom! GnuTLS 3.2.15! Hack me now!

In all honesty, and for stability purposes the method in this article probably isn't the recommended way. You should probably just install from source...

Related articles

• Bug in GnuTLS allows hackers to run malicious code in Your Linux
• Serious flaw in GnuTLS library endangers SSL clients and systems
• GnuTLS Vulnerability Closed in Ubuntu 14.04 LTS
• An update on Heartbleed Bug and ShoreTel Platforms