[Bug 1326779] Re: libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty

[Tyler Hicks]

No worries! I also prepared a 12.04 update since the patch is trivial.
Packages are building now.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1326779

Title:
  libgnutls28 appears to not have been updated for CVE-2014-3466 in
  Trusty

Status in gnutls28 package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  Although you've pushed out a patch for CVE-2014-3466 to libgnutls26 in
  the current stable LTS Ubuntu release (Trusty) you've not pushed out a
  corresponding patch for libgnutls28 (which is used by some packages).

  Looking at the apt-cache policy output:

  $ apt-cache policy libgnutls28
  libgnutls28:
    Installed: 3.2.11-2ubuntu1
    Candidate: 3.2.11-2ubuntu1
    Version table:
   *** 3.2.11-2ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
          100 /var/lib/dpkg/status

  This would look like a vulnerable version according to the CVE report
  (also launchpad shows this package as not having been updated since
  the 5th of March).

  http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-3466

  Can you please push out this patch asap, especially given that the
  vulnerability has been widely publicised in the media as of yesterday?

  Thanks,
  Dr Owain Kenway

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1326779/+subscriptions