Public bug reported: From: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444
Vulnerability Summary for CVE-2016-7444 Original release date: 09/27/2016 Last revised: 09/28/2016 Source: US-CERT/NIST Overview The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444 lists all versions pre 3.4.15 as vulnerable so 26 (2.12) should be assumed to be vulnerable. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7444 lists gnutls28 as vulnerable but does not mention gnutls26. ** Affects: gnutls26 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630544 Title: CVE-2016-7444 vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1630544/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
