Bug#727660: gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Oct 27 15:08:25 UTC 2013


On 10/27/2013 10:17 AM, Andreas Metzler wrote:

> tpm used to be undistributable, see
> <https://gitorious.org/gnutls/gnutls/commit/0fcbd34c953304dd06ebd49389af4b78575bd55b>
> and
> <http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006539.html>.

right, i saw your note on gnutls-devel about the changes to tpm 
licensing, thanks for staying on top of that!

> The dane situation is slightly better, but still sucks. libdane
> requires and links against libunbound. libunbound OTOH is linked
> against OpenSSL's libssl on Debian[1]. Therefore libdane and any
> program using it ends up being dynamically linked against both libssl
> (OpenSSL license) and GnuTLS (LGPLv3+ via gmp).
>
> The result is not undistributable but not very useful, since it is
> e.g. GPL-incompatible.[2] Apart from that it is more than a little bit
> ugly that libdane customers end up being linked against two different
> major TLS toolkits.

ugh, yes, i feared this was the issue.  I agree that this outcome seems 
problematic.  Have you pointed this out to Nikos, or thought about any 
possible workaround?

(idly, i wonder if it would be possible to port libunbound to use nettle 
instead of openssl's libcrypto)

	--dkg



More information about the Pkg-gnutls-maint mailing list