On Tue, Mar 4, 2014 at 2:52 PM, Andre Jaenisch <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > heads up! > > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ > > The code may be "broken" since nine years ? > > net-libs/gnutls-2.12.23-r1 is the most recent version I can find (and > have installed). >
It looks like Gentoo has patched net-libs/gnutls-2.12.23 to address the CVE. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-libs/gnutls/ So, if there is some reason we don't want to update to gnutls-3.2.12 right now (which also is supposed to address the CVE), we can just bump net-libs/gnutls-2.12.23 to r4.
