[gnutls-help] Gnutls version with with fix for CVE-2021-46848

Daiki Ueno ueno at gnu.org
Tue Feb 14 07:37:14 CET 2023

Troy Hinckley <comms at dabrev.com> writes:

> My company will not let us use gnutls due to CVE-2021-46848, which impacts libtasn1
> versions less than 4.19. Gnutls is using version 4.16, and hence is subject to this
> vulnerability. We attempted to build with 4.19, but the build failed. What would it take
> for Gnutls to upgrade to a security compliant version of libtasn1?

I think that depends on how you build GnuTLS.  If it is configured to
link with libtasn1 installed on the system (default), you would anyway
need to update it; I suggest any build failure to the upstream issue
tracker: https://gitlab.com/gnutls/libtasn1/-/issues

Otherwise, if it is configured to use libtasn1 bundled in GnuTLS release
(i.e., with --with-included-libtasn1), upgrading to GnuTLS 3.8.0 might
be an option, as it includes 4.19.

Daiki Ueno

More information about the Gnutls-help mailing list