[Help-gnutls] Security advisories (was: Re: GnuTLS 1.2.3 and 1.0.25)

Simon Josefsson jas at extundo.com
Wed May 4 15:16:30 CEST 2005


Regit <regit at inl.fr> writes:

> The problem was discovered by INL when we were studying a crash of
> nuauth, a daemon which is part of the NuFW project
> (http://www.nufw.org). During stress test we made on our solution, we
> open a lot of tls sessions simultaneously (more than 200). After some
> times the application crash with a segfault.
>
> I will try to write a detailed track record of this security problem :

Thanks a lot!

I have created a page for security advisories:

http://josefsson.org/gnutls/security.html

Your DoS-problem is now called GNUTLS-SA-2005-1.  I will add a link to
your post once it is in the mailing list archive.  If someone wants to
add even more information, I can add more links.

Everyone is encouraged to write up similar reports for future
problems!  An archive of reports, similar to yours, will be a very
useful resource in a few years, as a reference for what kind security
errors occur in the wild, how they are solved, how fast, etc.

Having more eyes analyzing each bug would also be useful.  So don't
let the existence of one report stop you from separately looking into
the bug and write up something.

I'm not convinced the "Severity" column is useful.  Judging the
severity might be rather subjective in some cases.  Perhaps it will go
away.

Regards,
Simon





More information about the Gnutls-help mailing list