Bug 5537 - Upgrade GnuTLS to latest version
Summary: Upgrade GnuTLS to latest version
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.6.0
Assignee: Pierre Ossman
URL:
Keywords: relnotes, samuel_tester
Depends on:
Blocks:
 
Reported: 2015-05-19 16:46 CEST by Samuel Mannehed
Modified: 2016-12-05 11:18 CET (History)
2 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Samuel Mannehed cendio 2015-05-19 16:46:56 CEST
We are using using 3.3.11, latest is 3.3.15 / 3.4.1.
Comment 1 Henrik Andersson cendio 2015-09-11 09:27:09 CEST
Latest available GnuTLS with ABI 3.0.0 is v3.3.17 and we currently have GnuTLS v3.3.11.

Here follows information about security issues fixed if we upgrade to 3.3.17.


GNUTLS-SA-2015-4
================
Double free in CRL distribution points decoding of a certificate

Robert Święcki reported that decoding a specially crafted certificate with certain CRL distribution points format can lead to a double free.
This issue was fixed in GnuTLS 3.3.14.

Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.


GNUTLS-SA-2015-3
================
Double free in certificate DN decoding

Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue.

Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.


GNUTLS-SA-2015-2
================
ServerKeyExchange signature issue

Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the server is not verified to be in the acceptable by the client set of algorithms. That has the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can be exploited because a fraudulent signature has to be generated in real-time which is not known to be possible. However, since attacks can only get better it is recommended to update to a GnuTLS version which addresses the issue.

Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.
Comment 2 Henrik Andersson cendio 2015-09-11 10:02:42 CEST
Neither of the mentioned security advisors affects ThinLinc, which makes this bug a non blocker for ThinLinc v4.5.0.
Comment 5 Pierre Ossman cendio 2015-12-15 09:59:07 CET
All done. Work done at the same time as bug 5540, so time is reported there.

Tested tlstunnel and certificate parsing.
Comment 6 Samuel Mannehed cendio 2015-12-30 11:05:27 CET
Works fine. Tested the HTML5 client and Smart Card authentication on fedora 23, ThinLinc build 4985.

Note You need to log in before you can comment on or make changes to this bug.