Troy Hinckley <[email protected]> writes: > My company will not let us use gnutls due to CVE-2021-46848, which impacts > libtasn1 > versions less than 4.19. Gnutls is using version 4.16, and hence is subject > to this > vulnerability. We attempted to build with 4.19, but the build failed. What > would it take > for Gnutls to upgrade to a security compliant version of libtasn1?
I think that depends on how you build GnuTLS. If it is configured to link with libtasn1 installed on the system (default), you would anyway need to update it; I suggest any build failure to the upstream issue tracker: https://gitlab.com/gnutls/libtasn1/-/issues Otherwise, if it is configured to use libtasn1 bundled in GnuTLS release (i.e., with --with-included-libtasn1), upgrading to GnuTLS 3.8.0 might be an option, as it includes 4.19. Regards, -- Daiki Ueno _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
