nufw-announces
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nufw-Announces] GnuTLS critical upgrade


From: nufw-announces
Subject: [Nufw-Announces] GnuTLS critical upgrade
Date: Thu, 28 Apr 2005 15:53:48 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1

Greetings,

The NuFW core team has found a bug in the GnuTLS. All versions of GnuTLS (1.0 Branch <= 1.0.24, 1.2 Branch <= 1.2.2) are concerned.

The bug was found while performing heavy stress tests on the nuauth daemon, with invalid logins/passwords. The bug drives to no exploit that we know of, but allowed a malicious user to bring down the nuauth daemon.

The bug was reported by us yesterday to the GnuTLS team, which reacted very quickly by releasing 1.0.25 and 1.2.3 versions, that both fix the flaw.

We, the NuFW maintenairs, advise all users upgrade their GnuTLS installations as soon as possible. Of course, not only NuFW is concerned, but also other packages using the GnuTLS library such as (maybe) openldap.

For debian users, we have put Sarge packages online, that fix this flaw (the official Debian fix should however be available within a few days). It is available at http://www.nufw.org/download/gnutls/.

At the same URL, the diff file patching GnuTLS sources is also available.

Also, we are proud to announce that NuFW 1.0.3 will be released within very few days, with many minor fixes and cleanups.

Happy user filtering,

Vincent Deffontaines




reply via email to

[Prev in Thread] Current Thread [Next in Thread]