Hi, On Mon, 02 Jun 2014 15:38:35 +0300, Wolfgang Jeltsch wrote: > Unfortunately, I still do not get any update for gnutls26, although the > update should be available now, according to the recent e-mail by Moritz > Muehlenhoff.
Regular security.d.o usually has all mirrors updated before the announcement goes out. I guess squeeze-lts is not as fast. But after 6 hours I'm *still* not yet seeing gnutls26 yet at: ftp://ftp.debian.org/debian/dists/squeeze-lts/main/binary-amd64/ ftp://ftp.uk.debian.org/debian/dists/squeeze-lts/main/binary-amd64/ ftp://ftp.de.debian.org/debian/dists/squeeze-lts/main/binary-amd64/ > Furthermore, I wonder how serious this problem is. The above > announcement suggests that it only affects connections where the squeeze > machine acts as a SSL/TLS client. Is this the case, or is the squeeze > machine also vulnerable if it runs servers that support SSL/TLS? And are > there generally any know exploits of this vulnerability? Not sure, but it sounds quite serious to me. Consider that Exim might negotiate STARTTLS on any outgoing email. A lot of people might use wget as root to periodically fetch things via https://. Fortunately at least CURL seems to link with OpenSSL instead. At present, NVD hasn't published a write-up or CVSS score yet: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466 But someone has at least begun to work on a PoC, and I imagine others are being worked on less publicly: https://github.com/azet/CVE-2014-3466_PoC Regards, -- Steven Chamberlain [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
