[gnutls-devel] GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

mancha mancha1 at hush.com
Sat Feb 15 16:43:14 CET 2014


On Sat, 15 Feb 2014 15:16:55 +0000 "Andreas Metzler" wrote:
>Hello,
>
>http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 says: "Suman 
>Jana
>reported a vulnerability that affects the certificate verification
>functions of gnutls 3.1.x and gnutls 3.2.x."
>
>Is this correct, are 3.0.x and 2.x not affected?
>
>cu Andreas

Hello. According to my code review the issue is introduced in
2.11.5 when V1 trusted CAs began getting allowed by default.

Feel free to use my backport for 3.0.32:

http://sf.net/projects/mancha/files/sec/gnutls-3.0.32_CVE-2014-
1959.diff

--mancha




More information about the Gnutls-devel mailing list