Bug#727660: gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Oct 27 15:08:25 UTC 2013
On 10/27/2013 10:17 AM, Andreas Metzler wrote:
> tpm used to be undistributable, see
> <https://gitorious.org/gnutls/gnutls/commit/0fcbd34c953304dd06ebd49389af4b78575bd55b>
> and
> <http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006539.html>.
right, i saw your note on gnutls-devel about the changes to tpm
licensing, thanks for staying on top of that!
> The dane situation is slightly better, but still sucks. libdane
> requires and links against libunbound. libunbound OTOH is linked
> against OpenSSL's libssl on Debian[1]. Therefore libdane and any
> program using it ends up being dynamically linked against both libssl
> (OpenSSL license) and GnuTLS (LGPLv3+ via gmp).
>
> The result is not undistributable but not very useful, since it is
> e.g. GPL-incompatible.[2] Apart from that it is more than a little bit
> ugly that libdane customers end up being linked against two different
> major TLS toolkits.
ugh, yes, i feared this was the issue. I agree that this outcome seems
problematic. Have you pointed this out to Nikos, or thought about any
possible workaround?
(idly, i wonder if it would be possible to port libunbound to use nettle
instead of openssl's libcrypto)
--dkg
More information about the Pkg-gnutls-maint
mailing list