Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

From:	mancha
Subject:	Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Date:	Sat, 15 Feb 2014 15:25:28 +0000 (UTC)
User-agent:	Loom/3.14 (http://gmane.org/)

Andreas Metzler <ametzler <at> bebt.de> writes:
> 
> Hello,
> 
> http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 says: "Suman Jana
> reported a vulnerability that affects the certificate verification
> functions of gnutls 3.1.x and gnutls 3.2.x."
> 
> Is this correct, are 3.0.x and 2.x not affected?
> 
> cu Andreas

Hello. According to my code review the issue is introduced in 2.11.5
when GnuTLS 2.11.5 when V1 trusted CAs began getting allowed by
default.

Feel free to use my backport for 3.0.32:

http://sf.net/projects/mancha/files/sec/gnutls-3.0.32_CVE-2014-1959.diff

--mancha

[Prev in Thread]

Current Thread

[Next in Thread]

Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?, mancha <=
- Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?, Nikos Mavrogiannopoulos, 2014/02/15

Next by Date: Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Next by thread: Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Index(es):
- Date
- Thread