On Wed, Nov 12, 2008 at 12:15 PM, Simon Josefsson [EMAIL PROTECTED] wrote:
You mean just removing this code snippet instead of moving it?
/* Check if the last certificate in the path is self signed.
* In that case ignore it (a certificate is trusted only if it
* leads to a trusted
Michael Meskes [EMAIL PROTECTED] writes:
On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
I think we have identified the problem, see:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
That patch at least solves the vulnerability and the crash,
Michael Meskes [EMAIL PROTECTED] writes:
On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
I think we have identified the problem, see:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
That patch at least solves the vulnerability and the crash,
On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
I think we have identified the problem, see:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
That patch at least solves the vulnerability and the crash, so possibly
it could be uploaded to
tags 424763 + patch
thanks
Hi,
Thanks to Simon for the pointer.
Please find attached a debdiff for the bug.
cheers,
Fathi
diff -u gnutls26-2.4.2/debian/changelog gnutls26-2.4.2/debian/changelog
--- gnutls26-2.4.2/debian/changelog
+++ gnutls26-2.4.2/debian/changelog
@@ -1,3 +1,11 @@
Nikos Mavrogiannopoulos [EMAIL PROTECTED] writes:
1) Remove the code. Fixes both crash and vulnerability.
My suggestion is to remove the offending code.
Thanks. I'll prepare a 2.6.2 release.
/Simon
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
Lincoln de Sousa [EMAIL PROTECTED] writes:
I had the same problem and I started to investigate.
I got the libgnutls26 source package with apt-get source and just recompilied
it, after that I did the following:
$ export LD_PRELOAD=lib/.libs/libgnutls.so.26
$ mutt
and everything worked.
Michael Meskes [EMAIL PROTECTED] writes:
On Tue, Nov 11, 2008 at 02:41:39PM +0100, Simon Josefsson wrote:
...
and then press Ctrl-D, and cut'n'paste the output? I'm interested to
see the certificate chain of the server.
Here we go:
* OK Dovecot ready.
. STARTTLS
. OK Begin TLS
Package: libgnutls26
Version: 2.4.2-2
Severity: critical
Justification: breaks unrelated software
Since updating libgnutls26 today I cannot use mutt anymore because it gets a
segfault. Here's what gdb says:
#0 0xf7e13ff4 in _gnutls_x509_crt_get_raw_dn2 (cert=0x11, whom=0xf7e4e367
issuer,
On Tue, Nov 11, 2008 at 02:41:39PM +0100, Simon Josefsson wrote:
...
and then press Ctrl-D, and cut'n'paste the output? I'm interested to
see the certificate chain of the server.
Here we go:
* OK Dovecot ready.
. STARTTLS
. OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral
I had the same problem and I started to investigate.
I got the libgnutls26 source package with apt-get source and just recompilied
it, after that I did the following:
$ export LD_PRELOAD=lib/.libs/libgnutls.so.26
$ mutt
and everything worked. weird, isn't it?
data requested:
[EMAIL
On Tue, Nov 11, 2008 at 03:37:02PM +0100, Simon Josefsson wrote:
Lincoln de Sousa [EMAIL PROTECTED] writes:
I had the same problem and I started to investigate.
I got the libgnutls26 source package with apt-get source and just
recompilied
it, after that I did the following:
$
In hope that this information might be useful for tracking down the problem...
I can reproduce it with my self-signed certificate loaded in dovecot,
but not with my cacert-signed certificate.
If needed for debugging, I could give up my self-signed key since I could
stop using it without much
Michael Meskes [EMAIL PROTECTED] writes:
Package: libgnutls26
Version: 2.4.2-2
Severity: critical
Justification: breaks unrelated software
Since updating libgnutls26 today I cannot use mutt anymore because it gets a
segfault. Here's what gdb says:
#0 0xf7e13ff4 in
14 matches
Mail list logo