| Summary: | <net-libs/gnutls-{3.3.10,3.2.20}: Denial of Service (heap corruption) (CVE-2014-8564) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alonbl, crypto+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Whiteboard set to ?3 until it can be determined whether this affects stable (B3) or only unstable packages (~3). ECC code was added in the 3.x series. So our stable version is not affected. +*gnutls-3.3.10 (10 Nov 2014) +*gnutls-3.2.20 (10 Nov 2014) + + 10 Nov 2014; Alon Bar-Lev <alonbl@gentoo.org> +gnutls-3.2.20.ebuild, + +gnutls-3.3.10.ebuild, -gnutls-3.2.18.ebuild, -gnutls-3.3.8.ebuild, + -gnutls-3.3.9.ebuild: + Version bump + cleanup, bug#528824 Thank you for swift bump and cleanup. No stable versions, closing noglsa |
From ${URL}: Sean Burford reported that the encoding of elliptic curves parameters GnuTLS 3 is vulnerable to a denial of service (heap corruption). It affects clients and servers which print information about the peer's certificate, e.g., the key ID, and can be exploited via a specially crafted X.509 certificate. Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28. @maintainers: We are still on 2.x series as stable that is no longer maintained. We will therefor need to bump to 3.x or verify that 2.x series is either not affected or backport a fix for this issue.