Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Aug 2015 11:23:02 +0200
From: Martin Prpic <mprpic@...hat.com>
To: "oss-security\@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding

Hi,

GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-3

"Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may
result to a denial of service. Since the DN decoding occurs in almost
all applications using certificates it is recommended to upgrade the
latest GnuTLS version fixing the issue. Recommendation: Upgrade to
GnuTLS 3.4.4, or 3.3.17."

The upstream patch that fixes this issue is available at:

https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12

Can a CVE please be assigned to this issue?

Also, there is still no CVE for the issue before this one. The CVE
request was sent on May 5:

http://seclists.org/oss-sec/2015/q2/367

Can a CVE be assigned to this as well?

Thank you!

Refs:
rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426
rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902

-- 
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ