Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Aug 2015 11:23:02 +0200
From: Martin Prpic <>
To: "oss-security\" <>
Subject: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding


GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue:

"Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may
result to a denial of service. Since the DN decoding occurs in almost
all applications using certificates it is recommended to upgrade the
latest GnuTLS version fixing the issue. Recommendation: Upgrade to
GnuTLS 3.4.4, or 3.3.17."

The upstream patch that fixes this issue is available at:

Can a CVE please be assigned to this issue?

Also, there is still no CVE for the issue before this one. The CVE
request was sent on May 5:

Can a CVE be assigned to this as well?

Thank you!

rhbz GNUTLS-SA-2015-2:
rhbz GNUTLS-SA-2015-3:

Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ