Am Montag, den 02.06.2014, 09:50 +0200 schrieb Moritz Muehlenhoff: > Package : gnutls26 > Version : 2.8.6-1+squeeze4 > CVE ID : CVE-2014-3466 > > Joonas Kuorilehto discovered that GNU TLS performed insufficient > validation of session IDs during TLS/SSL handshakes. A malicious > server could use this to execute arbitrary code or perform denial > or service.
Hi, first of all, thank you for making Debian LTS reality. Unfortunately, I still do not get any update for gnutls26, although the update should be available now, according to the recent e-mail by Moritz Muehlenhoff. Furthermore, I wonder how serious this problem is. The above announcement suggests that it only affects connections where the squeeze machine acts as a SSL/TLS client. Is this the case, or is the squeeze machine also vulnerable if it runs servers that support SSL/TLS? And are there generally any know exploits of this vulnerability? All the best, Wolfgang -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/1401712715.2649.38.camel@idefix
