Took me a bit longer, but blogpost is now public and explains the issue in
detail including its history and first incomplete fix:
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Publishing as a security update now, thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163
Title:
Poodle TLS1.0 issue in Trusty (and Precise)
To manage notifications about this bug go to:
This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3
---
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: Poodle TLS issue
- debian/patches/fix_tls_poodle.patch: fixes off by one
issue in padding check.
Patch created by
This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10
---
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low
* SECURITY UPDATE: Poodle TLS issue
- debian/patches/fix_tls_poodle.patch: fixes off by one
issue in padding check.
Patch created by
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8313
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: gnutls26 (Ubuntu Precise)
Status: Confirmed => Triaged
** Changed in: gnutls26 (Ubuntu Trusty)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Bryan,
Thanks for the debdiffs!
Where did you obtain the patch from Hanno Boeck from?
** Also affects: gnutls26 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: gnutls26 (Ubuntu Trusty)
Importance: Undecided
Status: New
--
You received this bug
Hi Marc,
In an private email, he did mention that he planned to blog about it in
the future.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163
Title:
Poodle TLS1.0 issue in Trusty (and
** Changed in: gnutls26 (Ubuntu Precise)
Status: New => Confirmed
** Changed in: gnutls26 (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: gnutls26 (Ubuntu Precise)
Importance: Undecided => High
** Changed in: gnutls26 (Ubuntu Trusty)
Importance: Undecided => High
**
** Description changed:
This issue is present in Trusty and Precise with the stock main gnutls -
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-
tls
If I switch cups to use gnutls28-dev on 14.04 the issue appears to go
away according to ssllabs. My test
** Patch added: "precise debdiff"
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525422/+files/gnutls26_2.12.14-5ubuntu3.10.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Tested both with ssllabs should go from F rating to C rating - POODLE
TLS issue should be gone, but SSLv3 will still be enabled. That's a
separate bug - 1505328.
** Patch added: "trusty debdiff"
Unlike the other cups patch, this gnutls bug I believe should go to
security pocket.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163
Title:
Poodle TLS1.0 issue in Trusty (and Precise)
To
** Description changed:
- This issue is present in Trusty and Precise with the stock main gnutls -
- https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-
- tls
-
- If I switch cups to use gnutls28-dev on 14.04 the issue appears to go
- away according to ssllabs. My test
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566
** Changed in: gnutls26 (Ubuntu)
Importance: Undecided => High
** Tags added: poodle
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163
Title:
Poodle TLS1.0 issue in Trusty (and Precise)
To manage notifications about
16 matches
Mail list logo