gnutls issues CVE-2017-533[4567]
Moritz Mühlenhoff
jmm at inutil.org
Sun Feb 5 17:10:05 UTC 2017
On Sun, Feb 05, 2017 at 02:21:34PM +0100, Andreas Metzler wrote:
> Hello,
>
> do you intend to fix CVE-2017-5337 CVE-2017-5336 CVE-2017-5335 CVE-2017-5334
> by DSA?
>
> | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
> | specially crafted OpenPGP certificate could lead to heap and stack
> | overflows. This issue was fixed in GnuTLS 3.3.26 and 3.5.8.
> | Recommendation: The support of OpenPGP certificates in GnuTLS is
> | considered obsolete. As such, it is not recommended to use OpenPGP
> | certificates with GnuTLS. To address the issues found upgrade to GnuTLS
> | 3.3.26, 3.5.8 or later versions.
> |
> | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
> | specially crafted X.509 certificate with Proxy Certificate Information
> | extension present could lead to a double free. This issue was fixed in
> | GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26, 3.5.8
> | or later versions.
>
> If not, I have started preparing a candidate for stable which - inter alia -
> would fix these and would appreciate some doublechecking.
Thanks for working on this, I think updating them via a jessie point update
is fine.
Cheers,
Moritz
More information about the Pkg-gnutls-maint
mailing list