Bug 5537 - Upgrade GnuTLS to latest version
: Upgrade GnuTLS to latest version
: ThinLinc
Build system
: trunk
: PC Unknown
: P2 Normal
: 4.6.0
Assigned To:
  Show dependency treegraph
Reported: 2015-05-19 16:46 by
Modified: 2016-12-05 11:18 (History)
Acceptance Criteria:



You need to log in before you can comment on or make changes to this bug.

Description From cendio 2015-05-19 16:46:56
We are using using 3.3.11, latest is 3.3.15 / 3.4.1.
------- Comment #1 From cendio 2015-09-11 09:27:09 -------
Latest available GnuTLS with ABI 3.0.0 is v3.3.17 and we currently have GnuTLS

Here follows information about security issues fixed if we upgrade to 3.3.17.

Double free in CRL distribution points decoding of a certificate

Robert Święcki reported that decoding a specially crafted certificate with
certain CRL distribution points format can lead to a double free.
This issue was fixed in GnuTLS 3.3.14.

Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.

Double free in certificate DN decoding

Kurt Roeckx reported that decoding a specific certificate with very long
DistinguishedName (DN) entries leads to double free, which may result to a
denial of service. Since the DN decoding occurs in almost all applications
using certificates it is recommended to upgrade the latest GnuTLS version
fixing the issue.

Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.

ServerKeyExchange signature issue

Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the
server is not verified to be in the acceptable by the client set of algorithms.
That has the effect of allowing MD5 signatures (which are disabled by default)
in the ServerKeyExchange message. It is not believed that this bug can be
exploited because a fraudulent signature has to be generated in real-time which
is not known to be possible. However, since attacks can only get better it is
recommended to update to a GnuTLS version which addresses the issue.

Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.
------- Comment #2 From cendio 2015-09-11 10:02:42 -------
Neither of the mentioned security advisors affects ThinLinc, which makes this
bug a non blocker for ThinLinc v4.5.0.
------- Comment #5 From cendio 2015-12-15 09:59:07 -------
All done. Work done at the same time as bug 5540, so time is reported there.

Tested tlstunnel and certificate parsing.
------- Comment #6 From cendio 2015-12-30 11:05:27 -------
Works fine. Tested the HTML5 client and Smart Card authentication on fedora 23,
ThinLinc build 4985.