Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jun 2014 02:39:45 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: nmav@...tls.org
Subject: Re: GnuTLS and libtasn1 security fixes

On Sun, Jun 01, 2014 at 09:40:18PM +0200, Kristian Fiskerstrand wrote:
> On 05/30/2014 10:31 AM, Tomas Hoger wrote:
> > Hi!
> > 
> > New GnuTLS and libtasn1 versions fix few issues you might be
> > interested to look at:
> 
> Thanks Thomas.
> 
> Based on your research of this issue can you comment anything on
> whether CVE-2014-3466 affects the 2.x series as well? It seems like at
> least CVE-2014-3465 is 3.x series only.

Hello.

I believe you're right about CVE-2014-3465 not being applicable in
GnuTLS 2.x because in that branch the result of
gnutls_x509_oid2ldap_string is checked for NULL returns.

As for the rest, I've backported the fixes to GnuTLS 2.12.23 (the
CVE-2014-3467,3468,3469 fixes apply to the embedded libtasn1).

You're welcome to them:

http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3466.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3467.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3468.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3469.diff

Note: Add ".sig" to above URLs for the PGP signatures.

--mancha


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ