On Thu, Jun 26, 2014 at 07:58:04PM +0200, Andreas Metzler wrote: > On 2014-06-25 Kurt Roeckx <k...@roeckx.be> wrote: > > Package: lynx-cur, libgnutls26 > > Severity: serious > > Tags: security > > > Hi, > > > There is a test site for checking the gnutls bug: > > https://gnutls.notary.icsi.berkeley.edu/ > > > I can connect to it and get the message: > > If you see this without getting a certificate error you are > > vulnerable against the GnuTLS bug > [...] > > Hello Kurt, > > afaiui this site checks for CVE-2014-0092, not CVE-2014-1959, and
You're right, wrong CVE. > indeed an important difference comes up when comparing > gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \ > /etc/ssl/certs/ca-certificates.crt > with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older > unfixed version connects successfully and trust the certificate, the > newer one does not. As said, I can reproduce it with +deb7u2. > Also for reference reproducing the issue on current sid/testing > requires downgrading libtasn1-6 to <= 3.2-1. I can reproduce it with 3.6-3 in testing and libtasn1-3 2.13-2 in stable. I also understand that not everbody can reproduce it. I can't reproduce it on at least 2 different systems but not on a 3rd. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
