Bug#752610: lynx: Can connect to CVE-2014-1959 test site
Kurt Roeckx
kurt at roeckx.be
Thu Jun 26 18:22:12 UTC 2014
On Thu, Jun 26, 2014 at 07:58:04PM +0200, Andreas Metzler wrote:
> On 2014-06-25 Kurt Roeckx <kurt at roeckx.be> wrote:
> > Package: lynx-cur, libgnutls26
> > Severity: serious
> > Tags: security
>
> > Hi,
>
> > There is a test site for checking the gnutls bug:
> > https://gnutls.notary.icsi.berkeley.edu/
>
> > I can connect to it and get the message:
> > If you see this without getting a certificate error you are
> > vulnerable against the GnuTLS bug
> [...]
>
> Hello Kurt,
>
> afaiui this site checks for CVE-2014-0092, not CVE-2014-1959, and
You're right, wrong CVE.
> indeed an important difference comes up when comparing
> gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \
> /etc/ssl/certs/ca-certificates.crt
> with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older
> unfixed version connects successfully and trust the certificate, the
> newer one does not.
As said, I can reproduce it with +deb7u2.
> Also for reference reproducing the issue on current sid/testing
> requires downgrading libtasn1-6 to <= 3.2-1.
I can reproduce it with 3.6-3 in testing and libtasn1-3 2.13-2 in
stable.
I also understand that not everbody can reproduce it. I can't
reproduce it on at least 2 different systems but not on a 3rd.
Kurt
More information about the Pkg-gnutls-maint
mailing list