gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]


From: Andreas Metzler
Subject: Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
Date: Mon, 19 May 2008 20:01:01 +0200
User-agent: Mutt/1.5.13 (2006-08-11)

On 2008-05-19 Simon Josefsson <address@hidden> wrote:
> We are pleased to announce a new stable GnuTLS release: Version 2.2.4.
[...]
> *** [GNUTLS-SA-2008-1-3]
> *** libgnutls: Fix crash in cipher padding decoding for invalid record 
> lengths.
> The crash can be triggered remotely before authentication, which can
> lead to a Daniel of Service attack to disable the server.  The bug
> cause gnutls to read memory beyond the end of the received record.

Hello,
The fix for this one (gnutls_cipher.c) breaks clean end of session:

Using 2.2.3:
(SID)address@hidden:/tmp/GNUTLS/gnutls26-2.2.4$ gnutls-cli -p 443 www.gnutls.org
Resolving 'www.gnutls.org'...
[...]
- Handshake was completed

- Simple Client Mode:

get x
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
[...]
</BODY></HTML>
- Peer has closed the GNUTLS connection


Now with 2.2.4:
(SID)address@hidden:/tmp/GNUTLS/gnutls26-2.2.4$ gnutls-cli -p 443 www.gnutls.org
Resolving 'www.gnutls.org'...
- Handshake was completed

- Simple Client Mode:

get x
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
[...]
</BODY></HTML>
*** Fatal error: Decryption has failed.
*** Server has terminated the connection abnormally.

thanks, cu andreas

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]