Re: gnutls26 security update
Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff:
> Package : gnutls26
> Version : 2.8.6-1+squeeze4
> CVE ID : CVE-2014-3466
> Joonas Kuorilehto discovered that GNU TLS performed insufficient
> validation of session IDs during TLS/SSL handshakes. A malicious
> server could use this to execute arbitrary code or perform denial
> or service.
first of all, thank you for making Debian LTS reality.
Unfortunately, I still do not get any update for gnutls26, although the
update should be available now, according to the recent e-mail by Moritz
Furthermore, I wonder how serious this problem is. The above
announcement suggests that it only affects connections where the squeeze
machine acts as a SSL/TLS client. Is this the case, or is the squeeze
machine also vulnerable if it runs servers that support SSL/TLS? And are
there generally any know exploits of this vulnerability?
All the best,