Your message dated Wed, 12 Nov 2014 20:27:23 +0100 with message-id <[email protected]> and subject line Fixed in 3.3.10 (experimental) has caused the Debian Bug report #769154, regarding gnutls28: CVE-2014-8564: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 769154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769154 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: gnutls28 Version: 3.3.8-3 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for gnutls28. CVE-2014-8564[0]: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) | An out-of-bounds memory write flaw was found in the way GnuTLS parsed | certain ECC (Elliptic Curve Cryptography) certificates or certificate | signing requests (CSR). A malicious user could create a specially | crafted ECC certificate or a certificate signing request that, when | processed by an application compiled against GnuTLS (for example, | certtool), could cause that application to crash or execute arbitrary | code with the permissions of the user running the application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8564 [1] http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 [2] https://gitorious.org/gnutls/gnutls/commit/e821e1908686657a45c1b735f6d077b7a8493e2b (3.3.x branch) Regards, Salvatore
--- End Message ---
--- Begin Message ---Version: 3.3.10-1 Distribution: experimental Urgency: medium Date: Mon, 10 Nov 2014 19:29:30 +0100 gnutls28 (3.3.10-1) experimental; urgency=medium . * debian/rules: fix pattern for removal (and re-generation) of autogen-ed manpages. * New upstream version. + Includes fix for a denial of service issue CVE-2014-8564 / GNUTLS-SA-2014-5. + When gnutls_global_init() is called for a second time, it will check whether the /dev/urandom fd kept is still open and matches the original one. That behavior works around issues with servers that close all file descriptors. This should take care of #760476.
--- End Message ---
