[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gnutls26 security update

Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff:
> Package        : gnutls26
> Version        : 2.8.6-1+squeeze4
> CVE ID         : CVE-2014-3466
> Joonas Kuorilehto discovered that GNU TLS performed insufficient
> validation of session IDs during TLS/SSL handshakes. A malicious
> server could use this to execute arbitrary code or perform denial
> or service.


first of all, thank you for making Debian LTS reality.

Unfortunately, I still do not get any update for gnutls26, although the
update should be available now, according to the recent e-mail by Moritz

Furthermore, I wonder how serious this problem is. The above
announcement suggests that it only affects connections where the squeeze
machine acts as a SSL/TLS client. Is this the case, or is the squeeze
machine also vulnerable if it runs servers that support SSL/TLS? And are
there generally any know exploits of this vulnerability?

All the best,

Reply to: