[gnutls-devel] serious bug in web site
jericho at attrition.org
Fri Feb 27 20:23:17 CET 2015
On Fri, 27 Feb 2015, Nikos Mavrogiannopoulos wrote:
: On Fri, 2015-02-27 at 11:53 -0600, jericho wrote:
: > http://www.gnutls.org/security.html
: > On 2015/02/25 a new advisory appears, SA-2015-1, that is a cut/paste copy
: > of SA-2014-5 and has no CVE.
: > On 2015/02/27 SA-2015-1 disappears without any indication as to why, or
: > explanation if it was a mistake.
: Why would there be an explanation? It was clearly a copy-paste error,
: and SA-2014-5 appeared with a new date.
Actually, no. First, the advisories are not dated at all, which is also
annoying for those who track disclosures. Second, given the time between
2014-5 and the appearance of 2015-1, it left people guessing if it is a
pure copy/paste error, meaning there is no new issue, or if there IS a new
issue and the description was not properly updated. The lack of a CVE
supported the idea that there was a new issue, along with a post to
gnutls-help announcing a new release that fixed a certificate processing
issue that could constitute a vulnerability .
This is very clearly confusing to the end user responsible for maintaining
a secure network. Adding a note somewhere on the page explaining that the
2015-02-25 appearance of SA-2015-1 was a mistake easily clarifies this
issue to anyone wondering.
More information about the Gnutls-devel