Source: gnutls28 Version: 3.3.8-3 Severity: grave Tags: security upstream patch fixed-upstream
Hi, the following vulnerability was published for gnutls28. CVE-2014-8564[0]: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) | An out-of-bounds memory write flaw was found in the way GnuTLS parsed | certain ECC (Elliptic Curve Cryptography) certificates or certificate | signing requests (CSR). A malicious user could create a specially | crafted ECC certificate or a certificate signing request that, when | processed by an application compiled against GnuTLS (for example, | certtool), could cause that application to crash or execute arbitrary | code with the permissions of the user running the application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8564 [1] http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 [2] https://gitorious.org/gnutls/gnutls/commit/e821e1908686657a45c1b735f6d077b7a8493e2b (3.3.x branch) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
