gnutls issues CVE-2017-533[4567]

Andreas Metzler ametzler at bebt.de
Sun Feb 5 13:21:34 UTC 2017


Hello,

do you intend to fix CVE-2017-5337 CVE-2017-5336 CVE-2017-5335 CVE-2017-5334
by DSA?

| It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
| specially crafted OpenPGP certificate could lead to heap and stack
| overflows. This issue was fixed in GnuTLS 3.3.26 and 3.5.8.
| Recommendation: The support of OpenPGP certificates in GnuTLS is
| considered obsolete. As such, it is not recommended to use OpenPGP
| certificates with GnuTLS. To address the issues found upgrade to GnuTLS
| 3.3.26, 3.5.8 or later versions.
| 
| It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
| specially crafted X.509 certificate with Proxy Certificate Information
| extension present could lead to a double free. This issue was fixed in
| GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26, 3.5.8
| or later versions.

If not, I have started preparing a candidate for stable which - inter alia -
would fix these and would appreciate some doublechecking.

thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: possible.debdiff.patch
Type: text/x-diff
Size: 26699 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170205/4ae1063c/attachment-0001.patch>


More information about the Pkg-gnutls-maint mailing list