[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
From: |
mancha |
Subject: |
Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x? |
Date: |
Sat, 15 Feb 2014 15:25:28 +0000 (UTC) |
User-agent: |
Loom/3.14 (http://gmane.org/) |
Andreas Metzler <ametzler <at> bebt.de> writes:
>
> Hello,
>
> http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 says: "Suman Jana
> reported a vulnerability that affects the certificate verification
> functions of gnutls 3.1.x and gnutls 3.2.x."
>
> Is this correct, are 3.0.x and 2.x not affected?
>
> cu Andreas
Hello. According to my code review the issue is introduced in 2.11.5
when GnuTLS 2.11.5 when V1 trusted CAs began getting allowed by
default.
Feel free to use my backport for 3.0.32:
http://sf.net/projects/mancha/files/sec/gnutls-3.0.32_CVE-2014-1959.diff
--mancha
- Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?,
mancha <=