[Bug 1326779] Re: libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty

Launchpad Bug Tracker 1326779 at bugs.launchpad.net
Thu Jun 11 18:11:57 UTC 2015


This bug was fixed in the package gnutls28 - 3.0.11-1ubuntu2.1

---------------
gnutls28 (3.0.11-1ubuntu2.1) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
    execution via crafted ServerHello message
    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
      session id size. Based on upstream patch. (LP: #1326779)

 -- Tyler Hicks <tyhicks at canonical.com>  Thu, 11 Jun 2015 10:51:35 -0500

** Changed in: gnutls28 (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: gnutls28 (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1326779

Title:
  libgnutls28 appears to not have been updated for CVE-2014-3466 in
  Trusty

Status in gnutls28 package in Ubuntu:
  Fix Released

Bug description:
  Hi,

  Although you've pushed out a patch for CVE-2014-3466 to libgnutls26 in
  the current stable LTS Ubuntu release (Trusty) you've not pushed out a
  corresponding patch for libgnutls28 (which is used by some packages).

  Looking at the apt-cache policy output:

  $ apt-cache policy libgnutls28
  libgnutls28:
    Installed: 3.2.11-2ubuntu1
    Candidate: 3.2.11-2ubuntu1
    Version table:
   *** 3.2.11-2ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
          100 /var/lib/dpkg/status

  This would look like a vulnerable version according to the CVE report
  (also launchpad shows this package as not having been updated since
  the 5th of March).

  http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-3466

  Can you please push out this patch asap, especially given that the
  vulnerability has been widely publicised in the media as of yesterday?

  Thanks,
  Dr Owain Kenway

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1326779/+subscriptions



More information about the foundations-bugs mailing list