Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Aug 2015 11:23:02 +0200
From: Martin Prpic <mprpic@...hat.com>
To: "oss-security\@lists.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding

Hi,

GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-3

"Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may
result to a denial of service. Since the DN decoding occurs in almost
all applications using certificates it is recommended to upgrade the
latest GnuTLS version fixing the issue. Recommendation: Upgrade to
GnuTLS 3.4.4, or 3.3.17."

The upstream patch that fixes this issue is available at:

https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12

Can a CVE please be assigned to this issue?

Also, there is still no CVE for the issue before this one. The CVE
request was sent on May 5:

http://seclists.org/oss-sec/2015/q2/367

Can a CVE be assigned to this as well?

Thank you!

Refs:
rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426
rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902

-- 
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.