[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gnutls26 security update

Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff:

Package        : gnutls26
Version        : 2.8.6-1+squeeze4
CVE ID         : CVE-2014-3466

Joonas Kuorilehto discovered that GNU TLS performed insufficient
validation of session IDs during TLS/SSL handshakes. A malicious
server could use this to execute arbitrary code or perform denial
or service.


On 02.06.14 15:38, Wolfgang Jeltsch wrote:

Unfortunately, I still do not get any update for gnutls26, although the
update should be available now, according to the recent e-mail by Moritz
Muehlenhoff.
the lts packages are distributed through standard mirrors, where higher delays can occur than on security.debian.org... 


Furthermore, I wonder how serious this problem is. The above
announcement suggests that it only affects connections where the squeeze
machine acts as a SSL/TLS client. Is this the case, or is the squeeze
machine also vulnerable if it runs servers that support SSL/TLS? And are
there generally any know exploits of this vulnerability?


no idea on this issue...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Reply to: