oss-sec mailing list archives
GnuTLS CVE-2009-2730 Patches (Was Re: GnuTLS 2.8.2)
From: Jamie Strandboge <jamie () canonical com>
Date: Fri, 14 Aug 2009 16:35:38 -0500
On Fri, 14 Aug 2009, Simon Josefsson wrote:
I don't have time/resources to produce releases for older branches. If someone else wants to volunteer to work on fixing older releases, that would be appreciated.
Attached are preliminary patches for 2.4.1, 2.0.4 and 1.2.9 backported from the advisory[1]. This is a first pass, have only been very lightly tested and have not been thoroughly looked at (you've been warned). They are not intended for production use yet, but hopefully others will be able to use them and provide feedback. 2.0.4 and 1.2.9 needed an additional patch[2] which adds wide wildcard hostname matching. Ubuntu will likely carry this patch, but it may not be appropriate for everyone. 2.x passes the nul-in-x509-names.c test mentioned in the advisory. 1.2.9 does not pass the CN test yet, though at first glance certtool output looks comparable to the others. These patches are against Ubuntu sources and not clean tarballs. Jamie [1] http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html [2] http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=177e7ddb761999cd8b439e14a2bf43590756e230 -- Jamie Strandboge | http://www.canonical.com
Attachment:
CVE-2009-2730_2.4.1.patch
Description:
Attachment:
CVE-2009-2730_2.0.4.patch
Description:
Attachment:
CVE-2009-2730_1.2.9.patch
Description:
Attachment:
signature.asc
Description: Digital signature
Current thread:
- GnuTLS CVE-2009-2730 Patches (Was Re: GnuTLS 2.8.2) Jamie Strandboge (Aug 14)
- Re: GnuTLS CVE-2009-2730 Patches Simon Josefsson (Aug 15)
- Re: GnuTLS CVE-2009-2730 Patches Jamie Strandboge (Aug 17)
- Re: GnuTLS CVE-2009-2730 Patches Simon Josefsson (Aug 18)
- Re: GnuTLS CVE-2009-2730 Patches Jamie Strandboge (Aug 17)
- Re: GnuTLS CVE-2009-2730 Patches (Was Re: GnuTLS 2.8.2) Jamie Strandboge (Aug 17)
- Re: GnuTLS CVE-2009-2730 Patches Simon Josefsson (Aug 15)