From fiona.klute at gmx.de Thu Feb 23 20:10:57 2023 From: fiona.klute at gmx.de (Fiona Klute) Date: Thu, 23 Feb 2023 20:10:57 +0100 Subject: [mod_gnutls-devel] Security update: mod_gnutls 0.12.1 Message-ID: Hi everyone, I have just uploaded a new source archive and matching signature to https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.12.1 tag to the git repositories [1, 2]. This release fixes a security issue that allows denial of service attacks. Many thanks to F?lix Arreola Rodr?guez, who debugged the issue on the Debian bug tracker [3]! Unfortunately I didn't see the information there until yesterday when I checked the Debian bugs for unrelated reasons, my apologies for that. Changes since 0.12.1: - Security fix (CVE-2023-25824): Remove an infinite loop in blocking read on transport timeout. Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space. - Replace obsolete Autoconf macros. Generating ./configure now requires Autoconf 2.69 (present in Debian Bullseye). Regards, Fiona [1] https://mod.gnutls.org/git/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls.git [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737#25 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: