The vulnerable code isn't in 2.12.x, so the gnutls26 package isn't
vulnerable.
** Changed in: gnutls26 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1630544
Title:
CVE-2016-7444 vulnerability
Status in gnutls26 package in Ubuntu:
Invalid
Bug description:
From: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444
Vulnerability Summary for CVE-2016-7444
Original release date: 09/27/2016
Last revised: 09/28/2016
Source: US-CERT/NIST
Overview
The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS
before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length
of an OCSP response, which might allow remote attackers to bypass an
intended certificate validation mechanism via vectors involving
trailing bytes left by gnutls_malloc.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444 lists all
versions pre 3.4.15 as vulnerable so 26 (2.12) should be assumed to be
vulnerable.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7444 lists
gnutls28 as vulnerable but does not mention gnutls26.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1630544/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
