[gnutls-devel] gnutls 3.2.5
Shawn
citypw at gmail.com
Fri Oct 25 05:38:56 CEST 2013
It already has a CVE-id: CVE-2013-4466
http://www.openwall.com/lists/oss-security/2013/10/25/2
On Fri, Oct 25, 2013 at 10:51 AM, Shawn <citypw at gmail.com> wrote:
> hey Nikos,
>
> On Thu, Oct 24, 2013 at 3:57 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> On 10/24/2013 09:27 AM, Tomas Hoger wrote:
>>
>>>> ** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could
>>>> be triggered by a DNS server supplying more than 4 DANE records.
>>>> Report and fix by Christian Grothoff.
>>> This sounds like a security fix rather than just a regular bug fix, but
>>> 3.2.5 and 3.1.15 releases were not announced as security updates. As I
>>> can't say I'm familiar with DANE, I wonder if I may be missing some
>>> good reason why this isn't or should not be considered a security fix.
>>
>> Hello,
>> It is a security fix. There is no different process for them though. I
>> should assign a GNUTLS-SA though.
>>
> This is a buffer overflow issue. I couldn't find CVE number yet. Maybe
> send a CVE request is not a bad idea.
>
>> regards,
>> Nikos
>>
>>
>> _______________________________________________
>> Gnutls-devel mailing list
>> Gnutls-devel at lists.gnutls.org
>> http://lists.gnupg.org/mailman/listinfo/gnutls-devel
>
>
>
> --
> GNU powered it...
> GPL protect it...
> God blessing it...
>
> regards
> Shawn
--
GNU powered it...
GPL protect it...
God blessing it...
regards
Shawn
More information about the Gnutls-devel
mailing list