Re: Re: gnutls26 security update
On Mon, 02 Jun 2014 15:38:35 +0300, Wolfgang Jeltsch wrote:
> Unfortunately, I still do not get any update for gnutls26, although the
> update should be available now, according to the recent e-mail by Moritz
Regular security.d.o usually has all mirrors updated before the
announcement goes out. I guess squeeze-lts is not as fast.
But after 6 hours I'm *still* not yet seeing gnutls26 yet at:
> Furthermore, I wonder how serious this problem is. The above
> announcement suggests that it only affects connections where the squeeze
> machine acts as a SSL/TLS client. Is this the case, or is the squeeze
> machine also vulnerable if it runs servers that support SSL/TLS? And are
> there generally any know exploits of this vulnerability?
Not sure, but it sounds quite serious to me. Consider that Exim might
negotiate STARTTLS on any outgoing email. A lot of people might use
wget as root to periodically fetch things via https://. Fortunately at
least CURL seems to link with OpenSSL instead.
At present, NVD hasn't published a write-up or CVSS score yet:
But someone has at least begun to work on a PoC, and I imagine others
are being worked on less publicly: