Re: gnutls26 security update

To: debian-lts@lists.debian.org
Subject: Re: gnutls26 security update
From: Wolfgang Jeltsch <7o2lccqg@acme.softbase.org>
Date: Mon, 02 Jun 2014 15:38:35 +0300
Message-id: <[🔎] 1401712715.2649.38.camel@idefix>
In-reply-to: <20140602075057.GA2876@pisco.westfalen.local>
References: <20140602075057.GA2876@pisco.westfalen.local>

Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff:
> Package        : gnutls26
> Version        : 2.8.6-1+squeeze4
> CVE ID         : CVE-2014-3466
> 
> Joonas Kuorilehto discovered that GNU TLS performed insufficient
> validation of session IDs during TLS/SSL handshakes. A malicious
> server could use this to execute arbitrary code or perform denial
> or service.

Hi,

first of all, thank you for making Debian LTS reality.

Unfortunately, I still do not get any update for gnutls26, although the
update should be available now, according to the recent e-mail by Moritz
Muehlenhoff.

Furthermore, I wonder how serious this problem is. The above
announcement suggests that it only affects connections where the squeeze
machine acts as a SSL/TLS client. Is this the case, or is the squeeze
machine also vulnerable if it runs servers that support SSL/TLS? And are
there generally any know exploits of this vulnerability?

All the best,
Wolfgang

Reply to:

Follow-Ups:
- Re: gnutls26 security update
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
- Re: Re: gnutls26 security update
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Re: gnutls26 update and NEW queue
Next by Date: Re: gnutls26 security update
Previous by thread: Re: gnutls26 update and NEW queue
Next by thread: Re: gnutls26 security update
Index(es):
- Date
- Thread