Date: Tue, 5 May 2015 10:47:49 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: GnuTLS: GNUTLS-SA-2015-2: MD5-based ServerKeyExchange signature accepted by default Hi I wonder if the following issue in GnuTLS should get a CVE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-2 > Karthikeyan Bhargavan reported that a ServerKeyExchange signature > sent by the server is not verified to be in the acceptable by the > client set of algorithms. That has the effect of allowing MD5 > signatures (which are disabled by default) in the ServerKeyExchange > message. It is not believed that this bug can be exploited because a > fraudulent signature has to be generated in real-time which is not > known to be possible. However, since attacks can only get better it > is recommended to update to a GnuTLS version which addresses the > issue. Details: https://lists.gnupg.org/pipermail/gnutls-devel/2015-April/007572.html https://bugzilla.redhat.com/show_bug.cgi?id=1218426 https://lists.gnupg.org/pipermail/gnutls-devel/2015-May/007577.html https://lists.gnupg.org/pipermail/gnutls-devel/2015-May/007578.html Upstream commit: https://gitlab.com/gnutls/gnutls/commit/7d9d5c61f8445dc9e9ca47bb575c77cef17da17a Testcase: https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ