oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: gnutls/libdane buffer overflow

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 24 Oct 2013 18:28:17 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/24/2013 08:04 AM, Marcus Meissner wrote:

Hi,

GNUTLS just posted a security adivsory which needs a CVE:

http://www.gnutls.org/security.html#GNUTLS-SA-2013-3 
GNUTLS-SA-2013-3 Denial of service This vulnerability affects the
DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that
returns more 4 DANE entries could corrupt the memory of a
requesting client.  Recommendation: Upgrade to the latest gnutls 
version (3.1.15 or 3.2.5)

Commit for 3.1: 
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

 Commit for 3.2: 
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3

 Ciao, Marcus


Please use CVE-2013-4466 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSabsgAAoJEBYNRVNeJnmT7T8P/iHgZosxSuSlne24Wz/77VoZ
NJQCWquH2MfC1GfhQASMIaEBexBZcWGptnCBokP2bLwqQcEOp8Yb3N6AatNkkK9s
7/Taub2hpkwrOHIGSxe/DWnsyKZyFLiUadzByG+mrGlYiYQmXBTIHhkiXC5sYUKs
YAvXyJPi+G+cl0ZM1feE5oWCQOocJisR3u2cQmtJDZik2EXrWjfharRT12uB5dzX
4YajH1QA1U9G6nm1iIdCCBO1e5jNseBPwoaEwymTxllERb6ejFA3HCDqXjQoBJIM
S6wcnxAWwRQRLYEQwdVKZPJAlrEEPTWk8mAy/CuX6y+DYYWR9UyEFJsfNli4fseW
r+KTnf9VyZMHn5SriBvnPo6Oy7NqjOvYotAGjl0zE5CtkP5j3QC02gxpDogcdtzC
OE/HWoMOLEG8xCqOc3VJy6i5g12kBuyv5O4MYsjDuMo1GtbLWD+qL03J59jmxg2M
0/EyKeJE6qObflFaIsOaU48PqNZYFIvI34b67487SFv7tg5WbhQYuHT9MUUXIC3I
pjGtmtqYIyhQai3DBxb6K7EP7I3TOylmntf+gMCVpFHSOT3h+H8nAr5GdhOIT2p+
6zzr8p2YMfIrJUagn7kjVsd1remVVvfTkUaRBD8xX7EzZr4NEjf//1ISOeH6mSD1
LiQ5VYuEXb2+jUbD9Z7a
=MZwH
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: