Bug#727660: marked as done (gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3)

Fri, 25 Oct 2013 08:21:44 -0700 

Your message dated Fri, 25 Oct 2013 17:18:56 +0200
with message-id <[email protected]>
and subject line Re: Bug#727660: gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3
has caused the Debian Bug report #727660,
regarding gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
727660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727660
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: gnutls28
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for gnutls28.

CVE-2013-4466[0]:
gnutls/libdane buffer overflow

This only affects 3.1.x and 3.2.x so, gnutls28. A patch [1] is
provided (upstream recomendation is to directly update to 3.2.5, see
[2]).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4466
    http://security-tracker.debian.org/tracker/CVE-2013-4466
[1] 
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3
[2] http://www.gnutls.org/security.html#GNUTLS-SA-2013-3

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Hi Daniel,

On Fri, Oct 25, 2013 at 09:56:58AM -0400, Daniel Kahn Gillmor wrote:
> On 10/25/2013 12:20 AM, Salvatore Bonaccorso wrote:
>
> > CVE-2013-4466[0]:
> > gnutls/libdane buffer overflow
> >
> > This only affects 3.1.x and 3.2.x so, gnutls28. A patch [1] is
> > provided (upstream recomendation is to directly update to 3.2.5, see
> > [2]).
>
> Is this relevant for debian, given that we build with --disable-libdane?

Thanks for this heads-up. I missed this part when checking for the
mentioned CVE. Apologies for the mistaken bugreport.

> btw, it's not clear to me why we --disable-libdane -- I see that it was
> set (along with --without-tpm) in 3.1.3-1, but i don't see the reason
> for it.  could that be clarified someplace?

I'm closing the bugreport regarding, CVE-2013-4466. But it still is
valid, to clarify the above if possible?

Thanks Daniel again.

Regards,
Salvatore

--- End Message ---

Reply via email to