Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 10:47:49 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>
Subject: CVE Request: GnuTLS: GNUTLS-SA-2015-2: MD5-based ServerKeyExchange
 signature accepted by default


I wonder if the following issue in GnuTLS should get a CVE:

> Karthikeyan Bhargavan reported that a ServerKeyExchange signature
> sent by the server is not verified to be in the acceptable by the
> client set of algorithms. That has the effect of allowing MD5
> signatures (which are disabled by default) in the ServerKeyExchange
> message. It is not believed that this bug can be exploited because a
> fraudulent signature has to be generated in real-time which is not
> known to be possible. However, since attacks can only get better it
> is recommended to update to a GnuTLS version which addresses the
> issue.


Upstream commit:



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ