Bug#727660: gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3

Andreas Metzler ametzler at bebt.de
Sun Oct 27 14:17:07 UTC 2013

On 2013-10-26 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 10/26/2013 02:24 AM, Andreas Metzler wrote:
> >> On Fri, Oct 25, 2013 at 09:56:58AM -0400, Daniel Kahn Gillmor wrote:
> >>> btw, it's not clear to me why we --disable-libdane -- I see that it was
> >>> set (along with --without-tpm) in 3.1.3-1, but i don't see the reason
> >>> for it.  could that be clarified someplace?

>> --without-tpm had some license rationale, --disable-libdane might have
>> been related to licensing (I think it was one of the leftover LGPLv3
>> GnuTLS parts at this time and I have not completely given up on a
>> LGPLv2+ GnuTLS stack.). If there is *strong* interest in libdane I can
>> doublecheck and enable if feasible (or else document).

> I am interested in libdane, and would like to know what the rationale
> is.  I'd also be curious to know more about "some license rationale" for
> --without-tpm, though i consider TPM of much lower interest compared to


tpm used to be undistributable, see

The dane situation is slightly better, but still sucks. libdane
requires and links against libunbound. libunbound OTOH is linked
against OpenSSL's libssl on Debian[1]. Therefore libdane and any
program using it ends up being dynamically linked against both libssl
(OpenSSL license) and GnuTLS (LGPLv3+ via gmp).

The result is not undistributable but not very useful, since it is
e.g. GPL-incompatible.[2] Apart from that it is more than a little bit
ugly that libdane customers end up being linked against two different
major TLS toolkits.

cu Andreas

[1] From a quick look at unbound's ./configure it looks like it could
use NSS instead of OpenSSL. I guess the license situation might be
better then, but the ugliness still remains.
[2] GnuTLS' danetool commandline program is GPLv3 and would therefore
be undistributable.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list