[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: gnutls26 security update


On Mon, 02 Jun 2014 15:38:35 +0300, Wolfgang Jeltsch wrote:
> Unfortunately, I still do not get any update for gnutls26, although the
> update should be available now, according to the recent e-mail by Moritz
> Muehlenhoff.

Regular security.d.o usually has all mirrors updated before the
announcement goes out.  I guess squeeze-lts is not as fast.

But after 6 hours I'm *still* not yet seeing gnutls26 yet at:

> Furthermore, I wonder how serious this problem is. The above
> announcement suggests that it only affects connections where the squeeze
> machine acts as a SSL/TLS client. Is this the case, or is the squeeze
> machine also vulnerable if it runs servers that support SSL/TLS? And are
> there generally any know exploits of this vulnerability?

Not sure, but it sounds quite serious to me.  Consider that Exim might
negotiate STARTTLS on any outgoing email.  A lot of people might use
wget as root to periodically fetch things via https://.  Fortunately at
least CURL seems to link with OpenSSL instead.

At present, NVD hasn't published a write-up or CVSS score yet:

But someone has at least begun to work on a PoC, and I imagine others
are being worked on less publicly:

Steven Chamberlain

Reply to: