Date: Mon, 10 Aug 2015 11:23:02 +0200 From: Martin Prpic <mprpic@...hat.com> To: "oss-security\@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding Hi, GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 "Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue. Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17." The upstream patch that fixes this issue is available at: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 Can a CVE please be assigned to this issue? Also, there is still no CVE for the issue before this one. The CVE request was sent on May 5: http://seclists.org/oss-sec/2015/q2/367 Can a CVE be assigned to this as well? Thank you! Refs: rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426 rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902 -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ