[gnutls-devel] serious bug in web site

jericho jericho at attrition.org
Fri Feb 27 20:23:17 CET 2015



On Fri, 27 Feb 2015, Nikos Mavrogiannopoulos wrote:

: On Fri, 2015-02-27 at 11:53 -0600, jericho wrote:
: > http://www.gnutls.org/security.html
: > 
: > On 2015/02/25 a new advisory appears, SA-2015-1, that is a cut/paste copy 
: > of SA-2014-5 and has no CVE.
: > On 2015/02/27 SA-2015-1 disappears without any indication as to why, or 
: > explanation if it was a mistake.
: 
: Why would there be an explanation? It was clearly a copy-paste error,
: and SA-2014-5 appeared with a new date. 

Actually, no. First, the advisories are not dated at all, which is also 
annoying for those who track disclosures. Second, given the time between 
2014-5 and the appearance of 2015-1, it left people guessing if it is a 
pure copy/paste error, meaning there is no new issue, or if there IS a new 
issue and the description was not properly updated. The lack of a CVE 
supported the idea that there was a new issue, along with a post to 
gnutls-help announcing a new release that fixed a certificate processing 
issue that could constitute a vulnerability [1].

This is very clearly confusing to the end user responsible for maintaining 
a secure network. Adding a note somewhere on the page explaining that the 
2015-02-25 appearance of SA-2015-1 was a mistake easily clarifies this 
issue to anyone wondering.

Thanks,

Brian

[1] 
http://lists.gnutls.org/pipermail/gnutls-help/2015-February/003764.html



More information about the Gnutls-devel mailing list