Bugzilla – Bug 5537
Upgrade GnuTLS to latest version
Last modified: 2016-12-05 11:18:26
You need to
before you can comment on or make changes to this bug.
We are using using 3.3.11, latest is 3.3.15 / 3.4.1.
Latest available GnuTLS with ABI 3.0.0 is v3.3.17 and we currently have GnuTLS
Here follows information about security issues fixed if we upgrade to 3.3.17.
Double free in CRL distribution points decoding of a certificate
Robert Święcki reported that decoding a specially crafted certificate with
certain CRL distribution points format can lead to a double free.
This issue was fixed in GnuTLS 3.3.14.
Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.
Double free in certificate DN decoding
Kurt Roeckx reported that decoding a specific certificate with very long
DistinguishedName (DN) entries leads to double free, which may result to a
denial of service. Since the DN decoding occurs in almost all applications
using certificates it is recommended to upgrade the latest GnuTLS version
fixing the issue.
Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.
ServerKeyExchange signature issue
Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the
server is not verified to be in the acceptable by the client set of algorithms.
That has the effect of allowing MD5 signatures (which are disabled by default)
in the ServerKeyExchange message. It is not believed that this bug can be
exploited because a fraudulent signature has to be generated in real-time which
is not known to be possible. However, since attacks can only get better it is
recommended to update to a GnuTLS version which addresses the issue.
Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.
Neither of the mentioned security advisors affects ThinLinc, which makes this
bug a non blocker for ThinLinc v4.5.0.
All done. Work done at the same time as bug 5540, so time is reported there.
Tested tlstunnel and certificate parsing.
Works fine. Tested the HTML5 client and Smart Card authentication on fedora 23,
ThinLinc build 4985.