[gnutls-devel] gnutls 3.2.5

Shawn citypw at gmail.com
Fri Oct 25 04:51:59 CEST 2013


hey Nikos,

On Thu, Oct 24, 2013 at 3:57 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On 10/24/2013 09:27 AM, Tomas Hoger wrote:
>
>>> ** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could
>>> be triggered by a DNS server supplying more than 4 DANE records.
>>> Report and fix by Christian Grothoff.
>> This sounds like a security fix rather than just a regular bug fix, but
>> 3.2.5 and 3.1.15 releases were not announced as security updates.  As I
>> can't say I'm familiar with DANE, I wonder if I may be missing some
>> good reason why this isn't or should not be considered a security fix.
>
> Hello,
>  It is a security fix. There is no different process for them though. I
> should assign a GNUTLS-SA though.
>
This is a buffer overflow issue. I couldn't find CVE number yet. Maybe
send a CVE request is not a bad idea.

> regards,
> Nikos
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn



More information about the Gnutls-devel mailing list