[gnutls-devel] GNUTLS-SA-2017-4 (was: gnutls 3.5.13)
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jun 11 16:27:15 CEST 2017
On Sun, 2017-06-11 at 11:43 +0200, Andreas Metzler wrote:
> On 2017-06-07 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > Hello,
> > I've just released gnutls 3.5.13. This is a bug fix release on the
> > 3.5.x branch.
>
> [...]
> > ** libgnutls: no longer parse the ResponseID field of the status
> > response
> > TLS extension. The field is not used by GnuTLS nor is made
> > available to
> > calling applications. That addresses a null pointer dereference
> > on server
> > side caused by packets containing the ResponseID field. Reported
> > by Hubert Kario. [GNUTLS-SA-2017-4]
>
> [...]
>
> Hello,
>
> do you know to which versions of GnuTLS this applies? Afaict it seems
> to apply to 3.3.8, too.
Hi,
It certainly applies to 3.3.x branch; I have not investigated other
versions (though 2.12.x are not vulnerable as this extension is not
supported). There is a patch on the 3.3.x branch for it.
regards,
Nikos
More information about the Gnutls-devel
mailing list