On 2016-01-13 02:52, Benoît Allard wrote:
On Tue, 12 Jan 2016 15:29:37 +0100
Guillaume Castagnino <[email protected]> wrote:
Hi,
I have the same issue since last gnutls CVE fix on ubuntu (14.04):
http://launchpadlibrarian.net/233330701/gnutls26_2.12.23-12ubuntu2.3_2.12.23-12ubuntu2.4.diff.gz
The fix remove the fallback using extensions in certificate to
negotiate cipher. This expose a bug in openvas library.
find attached my fix for openvas8. The problem is that the "SECURE"
priority string does not exists (see
http://www.gnutls.org/manual/html_node/Priority-Strings.html). I
don’t know why gnutls_priority_set_direct does not issues an error,
but this is the cause of the bug.
Bye !
I can confirm that the "SECURE" cipher suite does not exists, and that
the documentation says that "NORMAL" means 'all the secure ciphers'.
Hence I committed your patch as r24104, and backported to OpenVAS 8 as
r24105.
Thanks you very much for your contribution ! Don't hesitate to post
such patches here or in -devel in the future.
Best Regards,
Ben.
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
And for those of you on Ubuntu using this ppa
(https://launchpad.net/~mrazavi/+archive/ubuntu/openvas) Mohammad has
already included the patch that Guillaume created...I've tested with the
latest Ubuntu GnuTLS patches and it's worked fine. Reason #723 why I
love open source....FAST fixes.
James
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
