[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
From: |
Andreas Metzler |
Subject: |
Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] |
Date: |
Mon, 19 May 2008 20:01:01 +0200 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
On 2008-05-19 Simon Josefsson <address@hidden> wrote:
> We are pleased to announce a new stable GnuTLS release: Version 2.2.4.
[...]
> *** [GNUTLS-SA-2008-1-3]
> *** libgnutls: Fix crash in cipher padding decoding for invalid record
> lengths.
> The crash can be triggered remotely before authentication, which can
> lead to a Daniel of Service attack to disable the server. The bug
> cause gnutls to read memory beyond the end of the received record.
Hello,
The fix for this one (gnutls_cipher.c) breaks clean end of session:
Using 2.2.3:
(SID)address@hidden:/tmp/GNUTLS/gnutls26-2.2.4$ gnutls-cli -p 443 www.gnutls.org
Resolving 'www.gnutls.org'...
[...]
- Handshake was completed
- Simple Client Mode:
get x
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
[...]
</BODY></HTML>
- Peer has closed the GNUTLS connection
Now with 2.2.4:
(SID)address@hidden:/tmp/GNUTLS/gnutls26-2.2.4$ gnutls-cli -p 443 www.gnutls.org
Resolving 'www.gnutls.org'...
- Handshake was completed
- Simple Client Mode:
get x
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
[...]
</BODY></HTML>
*** Fatal error: Decryption has failed.
*** Server has terminated the connection abnormally.
thanks, cu andreas
signature.asc
Description: Digital signature