oss-sec mailing list archives
Re: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 14 Aug 2015 15:04:03 +0200
Hi, On Mon, Aug 10, 2015 at 11:23:02AM +0200, Martin Prpic wrote:
Hi, GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 "Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue. Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17." The upstream patch that fixes this issue is available at: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 Can a CVE please be assigned to this issue? Also, there is still no CVE for the issue before this one. The CVE request was sent on May 5: http://seclists.org/oss-sec/2015/q2/367 Can a CVE be assigned to this as well? Thank you! Refs: rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426 rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902
Adding explicitly MITRE CVE assignment team to the loop. Can CVEs be assigned for both GNUTLS-SA-2015-2 and GNUTLS-SA-2015-3 issues? Regards, Salvatore
Current thread:
- CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding Martin Prpic (Aug 10)
- Re: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding Salvatore Bonaccorso (Aug 14)
- Re: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding cve-assign (Aug 17)