Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

From:	Nikos Mavrogiannopoulos
Subject:	Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Date:	Sat, 15 Feb 2014 18:14:51 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10

On 02/15/2014 04:25 PM, mancha wrote:

>> Hello,
>>
>> http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 says: "Suman Jana
>> reported a vulnerability that affects the certificate verification
>> functions of gnutls 3.1.x and gnutls 3.2.x."
>>
>> Is this correct, are 3.0.x and 2.x not affected?
>>
>> cu Andreas
> Hello. According to my code review the issue is introduced in 2.11.5
> when GnuTLS 2.11.5 when V1 trusted CAs began getting allowed by
> default.

Correct. I've updated the advisory to be clear on that. I'm only
updating the 3.1 and 3.2 series as they are the latest stable, and both
are fully backwards compatible with 3.0.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?, mancha, 2014/02/15
- Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?, Nikos Mavrogiannopoulos <=

Prev by Date: Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Previous by thread: Re: GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?
Index(es):
- Date
- Thread