gnutls issues CVE-2017-533[4567]
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 4 18:18:25 UTC 2017
Hi Andreas,
On Sun, Feb 05, 2017 at 06:10:05PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Feb 05, 2017 at 02:21:34PM +0100, Andreas Metzler wrote:
> > Hello,
> >
> > do you intend to fix CVE-2017-5337 CVE-2017-5336 CVE-2017-5335 CVE-2017-5334
> > by DSA?
> >
> > | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
> > | specially crafted OpenPGP certificate could lead to heap and stack
> > | overflows. This issue was fixed in GnuTLS 3.3.26 and 3.5.8.
> > | Recommendation: The support of OpenPGP certificates in GnuTLS is
> > | considered obsolete. As such, it is not recommended to use OpenPGP
> > | certificates with GnuTLS. To address the issues found upgrade to GnuTLS
> > | 3.3.26, 3.5.8 or later versions.
> > |
> > | It was found using the OSS-FUZZ fuzzer infrastructure that decoding a
> > | specially crafted X.509 certificate with Proxy Certificate Information
> > | extension present could lead to a double free. This issue was fixed in
> > | GnuTLS 3.3.26 and 3.5.8. Recommendation: Upgrade to GnuTLS 3.3.26, 3.5.8
> > | or later versions.
> >
> > If not, I have started preparing a candidate for stable which - inter alia -
> > would fix these and would appreciate some doublechecking.
>
> Thanks for working on this, I think updating them via a jessie point update
> is fine.
Did you found time to propose the update for the next point release?
According to https://release.debian.org/ it would be
stable (8.8) Not yet planned, lately mid-late March
but AFAIK, no fixed date yet.
Regards,
Salvatore
More information about the Pkg-gnutls-maint
mailing list