Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 20 May 2008 11:34:37 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE ID request: GNUTLS

On Mon, 19 May 2008 15:26:41 -0800 Jonathan Smith
<smithj@...ethemallocs.com> wrote:

> Florian Weimer wrote:
> | Several issues have been announced in GNUTLS-SA-2008-1:

Some references for Steven to use in the CVE descriptions:

Upstream announcements:

http://www.gnu.org/software/gnutls/security.html
http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00051.html
http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00060.html

CERT-FI advisory:

https://www.cert.fi/haavoittuvuudet/advisory-gnutls.html

Upstream patches:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bc8102405fda11ea00ca3b42acc4f4bce9d6e97b
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=d223040e498bd50a4b9e0aa493e78587ae1ed653


> Note that the fixed versions has changed. 2.2.4 didn't fix the issue,
> so they pushed 2.2.5 today as well.
> 
> reference
> http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2812

Based on discussion here:

http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00055.html

It seems like a regression.

Adding Simon to CC, so he may comment on this if he wants.

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux