Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff:
Package : gnutls26
Version : 2.8.6-1+squeeze4
CVE ID : CVE-2014-3466
Joonas Kuorilehto discovered that GNU TLS performed insufficient
validation of session IDs during TLS/SSL handshakes. A malicious
server could use this to execute arbitrary code or perform denial
or service.
On 02.06.14 15:38, Wolfgang Jeltsch wrote:
Unfortunately, I still do not get any update for gnutls26, although the
update should be available now, according to the recent e-mail by Moritz
Muehlenhoff.
the lts packages are distributed through standard mirrors, where
higher delays can occur than on security.debian.org...
Furthermore, I wonder how serious this problem is. The above
announcement suggests that it only affects connections where the squeeze
machine acts as a SSL/TLS client. Is this the case, or is the squeeze
machine also vulnerable if it runs servers that support SSL/TLS? And are
there generally any know exploits of this vulnerability?
no idea on this issue...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
--
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140602133132.ga13...@fantomas.sk
