oss-sec mailing list archives
Re: CVE ID request: GNUTLS
From: Simon Josefsson <simon () josefsson org>
Date: Tue, 20 May 2008 07:55:19 +0200
Jonathan Smith <smithj-TzNcu2uxYW0shl4onS21xdBPR1lH4CV8 () public gmane org> writes:
Florian Weimer wrote: | Several issues have been announced in GNUTLS-SA-2008-1: Note that the fixed versions has changed. 2.2.4 didn't fix the issue, so they pushed 2.2.5 today as well. reference http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2812
Actually, v2.2.4 did fix the security issue. However, the code to detect and print a debug message about the attack was buggy and was triggered for normal connections under some conditions (conditions which, alas, the self-tests did not exercise). Still, the 2.2.5 announcement is what you want to read to get the full picture. Note that gmane garbles OpenPGP signed cleartext patches. Try this link instead: http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00060.html /Simon
Current thread:
- CVE ID request: GNUTLS Florian Weimer (May 19)
- Re: CVE ID request: GNUTLS Jonathan Smith (May 19)
- Re: CVE ID request: GNUTLS Simon Josefsson (May 20)
- Re: CVE ID request: GNUTLS Tomas Hoger (May 20)
- Re: CVE ID request: GNUTLS Mark J Cox (May 20)
- Re: CVE ID request: GNUTLS Jonathan Smith (May 19)