Bug#849807: gnutls_record_send after incomplete gnutls_handshake sends data unencrypted
Andreas Metzler
ametzler at bebt.de
Sat Jul 8 16:43:35 UTC 2017
Control: forwarded -1 https://gitlab.com/gnutls/gnutls/issues/158
On 2016-12-31 "Bernhard R. Link" <brlink at debian.org> wrote:
> Package: libgnutls30
> Version: 3.5.7-3
> Severity: normal
> Tags: security
> This bug report is not about wrong behavior if libgnutls is called
> correctly but rather about dangerous behaviour if the caller is using
> libgnutls incorrectly.
> If a handshake has not yet completed (the caller ignoring
> gnutls_handshake return code or the caller having a bug in the handling
> of GNUTLS_E_AGAIN) then telling libgnutls to send data causes it to send
> it unencrypted. Unless there are cases where might be useful, I think a
> security relevelant library like libgnutls should rather catch this
> mistake and avoid sending stuff unencrypted.
[...]
Hello,
This has been fixed in GnuTLS GIT master and is scheduled for 3.6.x.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list