Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Feb 2013 14:12:31 GMT
From:      Phil Pennock <phil.pennock@globnix.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/175831: [SECURITY] security/gnutls security update (2.12.23)
Message-ID:  <201302041412.r14ECVgL067202@red.freebsd.org>
Resent-Message-ID: <201302041420.r14EK3od068298@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         175831
>Category:       ports
>Synopsis:       [SECURITY] security/gnutls security update (2.12.23)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 04 14:20:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Phil Pennock
>Release:        n/a
>Organization:
Apcera, Inc.
>Environment:
n/a
>Description:
Announcements on the GnuTLS mailing-lists for releases 2.12.23, 3.0.28 and 3.1.7 of GnuTLS include this item in the list of changes:

** libgnutls: Fixes in record padding parsing to prevent a timing attack.
Issue reported by Kenny Patterson and Nadhem Alfardan.

The change diff shows that it's an attack against CBC modes.

The patches in Ports adjust the library version numbers, which suggest that it's unsafe to just override Ports current version and install anyway, as we'll end up with library .so version discrepancies, so this one needs an update from the Port maintainer
>How-To-Repeat:
Subscribe to GnuTLS mailing-lists, see announcements, pay attention when reading them.
>Fix:
Upgrade to latest release on branch.

Also: gnutls-devel is "2.99.4" which is ... rather dated.  That should probably be on either the 3.0 or 3.1 branch.

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302041412.r14ECVgL067202>