[gnutls-devel] libidn + 3.4.1 = cves?
n.mavrogiannopoulos at gmail.com
Mon May 4 15:50:23 CEST 2015
It seems that libidn cannot currently handle untrusted input .
According to thread in  libidn expects the input to be checked
before. However, we have no way to do that in gnutls, so most probably
we need to (1) disable libidn support by default in 3.4.x - i.e.,
internationalized dns names and correct comparison of them, (2) switch
to some other library, (3) wait until the issue (assigned
CVE-2015-2059) is resolved upstream.
I'm currently leaning towards (3), and take action before 3.4.x
becomes stable. Any suggestions on comments on the issue?
More information about the Gnutls-devel