Bug#782776: CVE-2015-3308

Salvatore Bonaccorso carnil at debian.org
Sun Apr 19 04:20:35 UTC 2015


Hi Andreas,

On Sat, Apr 18, 2015 at 07:22:46PM +0200, Andreas Metzler wrote:
> On 2015-04-17 Moritz Muehlenhoff <jmm at debian.org> wrote:
> > Hi Andreas,
> > this was assigned CVE-2015-3308:
> > http://www.openwall.com/lists/oss-security/2015/04/15/6  
> 
> > gnutls in wheezy or squeeze should not be affected, the
> > code was introduced in 3.3 (please double-check).

FYI: Should have been introduced with 3.3.0, yes:
http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fext_005fimport_005fcrl_005fdist_005fpoints-1
(have added accordingly the found version for the BTS).

> > This doesn't seem severe, could you fix this in the first
> > jessie point release?
> 
> Hello,
> 
> I will push an upload to unstable to get some free testing and will try
> to get this fixed in jessie, either with a separate upload or (if jessie
> is delayed) an unblock.

Note that there will proably be no more unblocks now since we are
effectively in deep freeze for the jessie release. So this update will
most likely go trough either a jessie-proposed-update, or a
jessie-security update.

Regards,
Salvatore



More information about the Pkg-gnutls-maint mailing list