Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528824 (CVE-2014-8564) - <net-libs/gnutls-{3.3.10,3.2.20}: Denial of Service (heap corruption) (CVE-2014-8564)
Summary: <net-libs/gnutls-{3.3.10,3.2.20}: Denial of Service (heap corruption) (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2014-8564
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.gnutls.org/security.html#G...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-10 14:43 UTC by Kristian Fiskerstrand
Modified: 2014-11-10 19:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-11-10 14:43:46 UTC
From ${URL}:
Sean Burford reported that the encoding of elliptic curves parameters GnuTLS 3 is vulnerable to a denial of service (heap corruption). It affects clients and servers which print information about the peer's certificate, e.g., the key ID, and can be exploited via a specially crafted X.509 certificate.
Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28.

@maintainers: We are still on 2.x series as stable that is no longer maintained. We will therefor need to bump to 3.x or verify that 2.x series is either not affected or backport a fix for this issue.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-11-10 15:04:50 UTC
Whiteboard set to ?3 until it can be determined whether this affects stable (B3) or only unstable packages (~3).
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-11-10 15:27:47 UTC
ECC code was added in the 3.x series. So our stable version is not affected.
Comment 3 Alon Bar-Lev gentoo-dev 2014-11-10 18:39:23 UTC
+*gnutls-3.3.10 (10 Nov 2014)
+*gnutls-3.2.20 (10 Nov 2014)
+
+  10 Nov 2014; Alon Bar-Lev <alonbl@gentoo.org> +gnutls-3.2.20.ebuild,
+  +gnutls-3.3.10.ebuild, -gnutls-3.2.18.ebuild, -gnutls-3.3.8.ebuild,
+  -gnutls-3.3.9.ebuild:
+  Version bump + cleanup, bug#528824
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-11-10 19:05:19 UTC
Thank you for swift bump and cleanup. 

No stable versions, closing noglsa