Bug#648441: CVE-2011-4128: GNUTLS-SA-2011-2
Moritz Muehlenhoff
jmm at inutil.org
Thu Dec 22 16:44:55 UTC 2011
On Fri, Nov 11, 2011 at 04:35:56PM +0100, Simon Josefsson wrote:
> fre 2011-11-11 klockan 16:10 +0100 skrev Moritz Muehlenhoff:
> > Package: gnutls26
> > Severity: important
> > Tags: security
> >
> > Please see http://www.gnu.org/s/gnutls/security.html for details.
> >
> > Fixes:
> > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7fc8fa6464d305440fddab423079c76a915decc3
> > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=588708465992e1d9fc09cf4e3a39caef878428d9
> >
> > Given the following inline documentation I would assume that this
> > could be triggered by a malicious server providing a service over
> > TLS to crash the client, but not the other way 'round. Is that correct?
>
> As far as I understand, the client also has to be written in a
> vulnerable way. The example code doesn't, and likely there are few
> clients like that around. More investigation is warranted...
Andreas, can you fix this for the upcoming stable point update?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
Although it's minor it would be nice to fix it up in stable.
Cheers,
Moritz
More information about the Pkg-gnutls-maint
mailing list