Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 10:47:49 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE Request: GnuTLS: GNUTLS-SA-2015-2: MD5-based ServerKeyExchange
 signature accepted by default

Hi

I wonder if the following issue in GnuTLS should get a CVE:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-2

> Karthikeyan Bhargavan reported that a ServerKeyExchange signature
> sent by the server is not verified to be in the acceptable by the
> client set of algorithms. That has the effect of allowing MD5
> signatures (which are disabled by default) in the ServerKeyExchange
> message. It is not believed that this bug can be exploited because a
> fraudulent signature has to be generated in real-time which is not
> known to be possible. However, since attacks can only get better it
> is recommended to update to a GnuTLS version which addresses the
> issue.

Details: 
https://lists.gnupg.org/pipermail/gnutls-devel/2015-April/007572.html
https://bugzilla.redhat.com/show_bug.cgi?id=1218426

https://lists.gnupg.org/pipermail/gnutls-devel/2015-May/007577.html
https://lists.gnupg.org/pipermail/gnutls-devel/2015-May/007578.html

Upstream commit:
https://gitlab.com/gnutls/gnutls/commit/7d9d5c61f8445dc9e9ca47bb575c77cef17da17a

Testcase:
https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ