On 2014-06-25 Kurt Roeckx <k...@roeckx.be> wrote: > Package: lynx-cur, libgnutls26 > Severity: serious > Tags: security
> Hi, > There is a test site for checking the gnutls bug: > https://gnutls.notary.icsi.berkeley.edu/ > I can connect to it and get the message: > If you see this without getting a certificate error you are > vulnerable against the GnuTLS bug [...] Hello Kurt, afaiui this site checks for CVE-2014-0092, not CVE-2014-1959, and indeed an important difference comes up when comparing gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \ /etc/ssl/certs/ca-certificates.crt with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older unfixed version connects successfully and trust the certificate, the newer one does not. Also for reference reproducing the issue on current sid/testing requires downgrading libtasn1-6 to <= 3.2-1. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
