Re: Re: gnutls26 security update
Hi,
On Mon, 02 Jun 2014 15:38:35 +0300, Wolfgang Jeltsch wrote:
> Unfortunately, I still do not get any update for gnutls26, although the
> update should be available now, according to the recent e-mail by Moritz
> Muehlenhoff.
Regular security.d.o usually has all mirrors updated before the
announcement goes out. I guess squeeze-lts is not as fast.
But after 6 hours I'm *still* not yet seeing gnutls26 yet at:
ftp://ftp.debian.org/debian/dists/squeeze-lts/main/binary-amd64/
ftp://ftp.uk.debian.org/debian/dists/squeeze-lts/main/binary-amd64/
ftp://ftp.de.debian.org/debian/dists/squeeze-lts/main/binary-amd64/
> Furthermore, I wonder how serious this problem is. The above
> announcement suggests that it only affects connections where the squeeze
> machine acts as a SSL/TLS client. Is this the case, or is the squeeze
> machine also vulnerable if it runs servers that support SSL/TLS? And are
> there generally any know exploits of this vulnerability?
Not sure, but it sounds quite serious to me. Consider that Exim might
negotiate STARTTLS on any outgoing email. A lot of people might use
wget as root to periodically fetch things via https://. Fortunately at
least CURL seems to link with OpenSSL instead.
At present, NVD hasn't published a write-up or CVSS score yet:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466
But someone has at least begun to work on a PoC, and I imagine others
are being worked on less publicly:
https://github.com/azet/CVE-2014-3466_PoC
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: