fre 2011-11-11 klockan 16:10 +0100 skrev Moritz Muehlenhoff: > Package: gnutls26 > Severity: important > Tags: security > > Please see http://www.gnu.org/s/gnutls/security.html for details. > > Fixes: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7fc8fa6464d305440fddab423079c76a915decc3 > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=588708465992e1d9fc09cf4e3a39caef878428d9 > > Given the following inline documentation I would assume that this > could be triggered by a malicious server providing a service over > TLS to crash the client, but not the other way 'round. Is that correct?
As far as I understand, the client also has to be written in a
vulnerable way. The example code doesn't, and likely there are few
clients like that around. More investigation is warranted...
/Simon
>
> /**
>
> * gnutls_session_get_data - Returns all session
> parameters.
> * @session: is a
> #gnutls_session_t structure.
>
> * @session_data: is a pointer to space to hold the session.
>
> * @session_data_size: is the session_data's
> size, or it will be set by the function.
> *
> !
>
>
> * Returns all session parameters, in order to support resuming. The
>
> * client should call this, and keep the returned
> session, if he
> * wants to resume that
> current version later by calling
>
> * gnutls_session_set_data() This function must be called after a
>
> * successful handshake.
>
>
> *
>
> * Resuming sessions is really useful and speedups
> connections after
> * a succesful one.
>
> *
>
>
>
> * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
>
> * an error code is returned.
>
> **/
>
> Cheers,
> Moritz
>
>
>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

