Date: Mon, 2 Jun 2014 02:39:45 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: nmav@...tls.org Subject: Re: GnuTLS and libtasn1 security fixes On Sun, Jun 01, 2014 at 09:40:18PM +0200, Kristian Fiskerstrand wrote: > On 05/30/2014 10:31 AM, Tomas Hoger wrote: > > Hi! > > > > New GnuTLS and libtasn1 versions fix few issues you might be > > interested to look at: > > Thanks Thomas. > > Based on your research of this issue can you comment anything on > whether CVE-2014-3466 affects the 2.x series as well? It seems like at > least CVE-2014-3465 is 3.x series only. Hello. I believe you're right about CVE-2014-3465 not being applicable in GnuTLS 2.x because in that branch the result of gnutls_x509_oid2ldap_string is checked for NULL returns. As for the rest, I've backported the fixes to GnuTLS 2.12.23 (the CVE-2014-3467,3468,3469 fixes apply to the embedded libtasn1). You're welcome to them: http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3466.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3467.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3468.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3469.diff Note: Add ".sig" to above URLs for the PGP signatures. --mancha Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ