Date: Mon, 10 Aug 2015 11:23:02 +0200 From: Martin Prpic <mprpic@...hat.com> To: "oss-security\@lists.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding Hi, GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 "Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue. Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17." The upstream patch that fixes this issue is available at: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 Can a CVE please be assigned to this issue? Also, there is still no CVE for the issue before this one. The CVE request was sent on May 5: http://seclists.org/oss-sec/2015/q2/367 Can a CVE be assigned to this as well? Thank you! Refs: rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426 rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902 -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.