www.cendio.com
Bug 5852 - Upgrade GnuTLS to latest version
: Upgrade GnuTLS to latest version
Status: CLOSED FIXED
: ThinLinc
Build system
: pre-1.0
: PC Unknown
: P2 Normal
: 4.7.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-04-22 16:44 by
Modified: 2016-09-23 10:07 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-04-22 16:44:18
We're on 3.4.7 but 3.4.11 is available. No CVE has been issued since our last
upgrade though.
------- Comment #2 From cendio 2016-06-20 13:26:02 -------
GnuTLS has been upgraded from 3.4.7 to 3.5.1.

CVE:s fixed since 3.4.7:

 * GNUTLS-SA-2016-1/CVE-2016-4456
   File overwrite by setuid programs

   Introduced in 3.4.12, fixed in 3.4.13 - we were never affected
   by this.


I've verified that the http/https detection still works, and that Firefox and
Google Chrome are happy with the selected cryptos with tlstunnel on x86_64.
------- Comment #3 From cendio 2016-06-23 13:54:52 -------
Mime-type property was lost on new tar-file. Added application-x/xz.
------- Comment #5 From cendio 2016-06-23 15:44:31 -------
Verified commit and that Chavez is building with new libs. Tested with webadmin
and webaccess with 2048 and 4096 bit keys.