Heads-up GNUTLS-SA-2020-07-14 [CVE-2023-0361]
Moritz Muehlenhoff
jmm at inutil.org
Mon Feb 13 10:58:06 GMT 2023
On Sun, Feb 12, 2023 at 02:32:51PM +0100, Andreas Metzler wrote:
0;115;0c> On 2023-02-10 Andreas Metzler <ametzler at bebt.de> wrote:
> > On 2023-02-10 Andreas Metzler <ametzler at bebt.de> wrote:
> > > Hello,
>
> > > today's releases of GnuTLS 3.7.9 and 3.8.0 fix "a Bleichenbacher oracle
> > > in the TLS RSA key exchange.". Details here:
> > > https://gitlab.com/gnutls/gnutls/-/issues/1050
>
> > > 3.7.9 is basically a single-bugfix release, since the tarball publication
> > > was delayed I had uploaded a patched 3.7.8-5 instead to sid.
>
> > according to upstream the problematic code is present in 3.6.5-3.6.16,
> > 3.7.0-3.7.8, i.e both buster and bullseye.
>
> Hello,
>
> 3.7.8 patch applies unmodified without fuzz to 3.7.1.
Hi Andreas,
Thanks! The patch looks fine, please upload to security-master, I'll test it
on a few Bullseye systems in the next 1-2 days before releasing it.
Cheers,
Moritz
More information about the Pkg-gnutls-maint
mailing list