[mod_gnutls-devel] Security update: mod_gnutls 0.12.1
Fiona Klute
fiona.klute at gmx.de
Thu Feb 23 20:10:57 CET 2023
Hi everyone,
I have just uploaded a new source archive and matching signature to
https://mod.gnutls.org/downloads/ as well as the signed
mod_gnutls/0.12.1 tag to the git repositories [1, 2].
This release fixes a security issue that allows denial of service attacks.
Many thanks to Félix Arreola Rodríguez, who debugged the issue on the
Debian bug tracker [3]! Unfortunately I didn't see the information there
until yesterday when I checked the Debian bugs for unrelated reasons, my
apologies for that.
Changes since 0.12.1:
- Security fix (CVE-2023-25824): Remove an infinite loop in blocking
read on transport timeout. Mod_gnutls versions from 0.9.0 to 0.12.0
(including) did not properly fail blocking read operations on TLS
connections when the transport hit timeouts. Instead it entered an
endless loop retrying the read operation, consuming CPU resources. This
could be exploited for denial of service attacks. If trace level logging
was enabled, it would also produce an excessive amount of log output
during the loop, consuming disk space.
- Replace obsolete Autoconf macros. Generating ./configure now requires
Autoconf 2.69 (present in Debian Bullseye).
Regards,
Fiona
[1] https://mod.gnutls.org/git/mod_gnutls
[2] https://github.com/airtower-luna/mod_gnutls.git
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737#25
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/mod_gnutls-devel/attachments/20230223/9d801b8e/attachment.sig>
More information about the mod_gnutls-devel
mailing list