On Tue, 12 Jan 2016 15:29:37 +0100 Guillaume Castagnino <[email protected]> wrote:
> Hi, > > I have the same issue since last gnutls CVE fix on ubuntu (14.04): > http://launchpadlibrarian.net/233330701/gnutls26_2.12.23-12ubuntu2.3_2.12.23-12ubuntu2.4.diff.gz > > The fix remove the fallback using extensions in certificate to > negotiate cipher. This expose a bug in openvas library. > > find attached my fix for openvas8. The problem is that the "SECURE" > priority string does not exists (see > http://www.gnutls.org/manual/html_node/Priority-Strings.html). I > don’t know why gnutls_priority_set_direct does not issues an error, > but this is the cause of the bug. > > Bye ! I can confirm that the "SECURE" cipher suite does not exists, and that the documentation says that "NORMAL" means 'all the secure ciphers'. Hence I committed your patch as r24104, and backported to OpenVAS 8 as r24105. Thanks you very much for your contribution ! Don't hesitate to post such patches here or in -devel in the future. Best Regards, Ben.
pgpG2a3FegJjf.pgp
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
