tags 309111 - fixed
tags 309111 + sarge
thanks
On Sun, May 15, 2005 at 09:15:23PM +0200, Moritz Muehlenhoff wrote:
> The second part fixes an issue in the RSA key export that looks worthy
> to be included in Sarge as well. My original report includes two
> patches; for the DoS issue and a patch which includes the RSA fix as
> well.
NMU'd -13.1 for unstable, Sarge still needs to be fixed. Steve Langasek
has expressed concerns about the unstable vs testing difference,
especially the changes in -11.
The below patch also applies cleanly to the sarge version, and I tested
it succesfully with some ssl using applications on two sarge machines
(both i386 though). Also the fix looks really non-invasively trivial.
Joey/security team, ok to upload the below (built for sarge, with
modified changelog entry (version & dist) to testing-security?
--Jeroen
--- gnutls11-1.0.16/debian/changelog
+++ gnutls11-1.0.16/debian/changelog
@@ -1,3 +1,11 @@
+gnutls11 (1.0.16-13.1) unstable; urgency=high
+
+ * Non-Maintainer Upload fixing DoS
+ * DoS in TLS 1.x record packet parsing [CAN-2005-1431, GNUTLS-SA-2005-1]
+ (Closes: #309111)
+
+ -- Jeroen van Wolffelaar <[EMAIL PROTECTED]> Sun, 22 May 2005 21:47:58 +0200
+
gnutls11 (1.0.16-13) unstable; urgency=high
* Fixed an ASN.1 extraction error.
--- gnutls11-1.0.16.orig/lib/gnutls_cipher.c
+++ gnutls11-1.0.16/lib/gnutls_cipher.c
@@ -448,7 +448,7 @@
/* Check the pading bytes (TLS 1.x)
*/
- if ( ver >= GNUTLS_TLS1)
+ if ( ver >= GNUTLS_TLS1 && pad_failed==0 )
for (i=2;i<pad;i++) {
if (ciphertext.data[ciphertext.size-i] !=
ciphertext.data[ciphertext.size - 1])
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
--
Jeroen van Wolffelaar
[EMAIL PROTECTED]
http://jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
