Bug#752610: lynx: Can connect to CVE-2014-1959 test site
Andreas Metzler
ametzler at bebt.de
Thu Jun 26 17:58:04 UTC 2014
On 2014-06-25 Kurt Roeckx <kurt at roeckx.be> wrote:
> Package: lynx-cur, libgnutls26
> Severity: serious
> Tags: security
> Hi,
> There is a test site for checking the gnutls bug:
> https://gnutls.notary.icsi.berkeley.edu/
> I can connect to it and get the message:
> If you see this without getting a certificate error you are
> vulnerable against the GnuTLS bug
[...]
Hello Kurt,
afaiui this site checks for CVE-2014-0092, not CVE-2014-1959, and
indeed an important difference comes up when comparing
gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \
/etc/ssl/certs/ca-certificates.crt
with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older
unfixed version connects successfully and trust the certificate, the
newer one does not.
Also for reference reproducing the issue on current sid/testing
requires downgrading libtasn1-6 to <= 3.2-1.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list