On Sun, Sep 11, 2016 at 5:41 PM, Leo Famulari <l...@famulari.name> wrote: > There is a GnuTLS security advisory [0] regarding "an issue that affects > validation of certificates using OCSP responses, which can falsely > report a certificate as valid under certain circumstances." > > I updated GnuTLS on core-updates to 3.5.4, the latest release of the 3.5 > series. > > For master, the naive approach of cherry-picking the patch [1] did not > work; the test 'system-prio-file' fails consistently with that change. I > could instead try grafting the updated version. > > What do you think? The authors seem to think it's a relatively minor > issue [2], since exploiting it requires an attacker to compromise the > certificate authority.
Side questions (just for my curiosity's sake): - What does it cost (manpower, hydra build time, etc...) approximatively to do a new release ? - Is it sufficiently automated ? - Can we help ? -- Vincent Legoll
