[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nufw-Announces] GnuTLS critical upgrade
From: |
nufw-announces |
Subject: |
[Nufw-Announces] GnuTLS critical upgrade |
Date: |
Thu, 28 Apr 2005 15:53:48 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1 |
Greetings,
The NuFW core team has found a bug in the GnuTLS. All versions of GnuTLS
(1.0 Branch <= 1.0.24, 1.2 Branch <= 1.2.2) are concerned.
The bug was found while performing heavy stress tests on the nuauth
daemon, with invalid logins/passwords. The bug drives to no exploit that
we know of, but allowed a malicious user to bring down the nuauth daemon.
The bug was reported by us yesterday to the GnuTLS team, which reacted
very quickly by releasing 1.0.25 and 1.2.3 versions, that both fix the flaw.
We, the NuFW maintenairs, advise all users upgrade their GnuTLS
installations as soon as possible. Of course, not only NuFW is
concerned, but also other packages using the GnuTLS library such as
(maybe) openldap.
For debian users, we have put Sarge packages online, that fix this flaw
(the official Debian fix should however be available within a few days).
It is available at http://www.nufw.org/download/gnutls/.
At the same URL, the diff file patching GnuTLS sources is also available.
Also, we are proud to announce that NuFW 1.0.3 will be released within
very few days, with many minor fixes and cleanups.
Happy user filtering,
Vincent Deffontaines
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Nufw-Announces] GnuTLS critical upgrade,
nufw-announces <=