Re: CVE-2009-3555 not addressed in OpenSSL
Florian Weimer <email@example.com> writes:
> * Simon Josefsson:
>> FWIW, the latest stable GnuTLS version with RFC 5746 support is not
>> even in testing, so it won't be part of even the next stable.
> What would be required to get a backport of RFC 5746 support into the
> current stable (considering that we do not want to incorporate too
> many unrelated changes)?
Someone to move the changes from the 2.10.x branch back on to 2.8.x, and
to make sure it is working properly. There are self tests to check that
a backport is working:
The new API to query whether the extension is negotiated or not is also
needed, but that shouldn't cause any problems as far as I can see. A
binary using the new API wouldn't work with the original gnutls in
stable, though, but I think that is an acceptable price?