Quantcast

[SECURITY] gnutls

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[SECURITY] gnutls

Yaakov Selkowitz
Dr. Volker,

Two security issues have been reported in GnuTLS:

https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
https://www.gnutls.org/security.html#GNUTLS-SA-2016-3

At this point, I think the best way to proceed would be to:

1) release 3.3.24 with the patch for the latter, then;
2) update to 3.4.15, which involves an ABI break.

--
Yaakov
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SECURITY] gnutls

Yaakov Selkowitz
On 2016-09-26 02:00, Yaakov Selkowitz wrote:

> Dr. Volker,
>
> Two security issues have been reported in GnuTLS:
>
> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>
> At this point, I think the best way to proceed would be to:
>
> 1) release 3.3.24 with the patch for the latter, then;
> 2) update to 3.4.15, which involves an ABI break.

nettle is also overdue for an update (it's also blocking an update to
filezilla); getting that in after 3.3.24 and prior to 3.4 would be best.

--
Yaakov
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SECURITY] gnutls

Yaakov Selkowitz
On 2016-09-26 14:13, Yaakov Selkowitz wrote:

> On 2016-09-26 02:00, Yaakov Selkowitz wrote:
>> Dr. Volker,
>>
>> Two security issues have been reported in GnuTLS:
>>
>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>>
>> At this point, I think the best way to proceed would be to:
>>
>> 1) release 3.3.24 with the patch for the latter, then;
>> 2) update to 3.4.15, which involves an ABI break.
>
> nettle is also overdue for an update (it's also blocking an update to
> filezilla); getting that in after 3.3.24 and prior to 3.4 would be best.

Ping?  More vulnerabilities have been announced, so we need to revise
the above to 3.3.26 and 3.5.9.

--
Yaakov
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SECURITY] gnutls

Yaakov Selkowitz
On 2017-02-22 12:46, Yaakov Selkowitz wrote:

> On 2016-09-26 14:13, Yaakov Selkowitz wrote:
>> On 2016-09-26 02:00, Yaakov Selkowitz wrote:
>>> Dr. Volker,
>>>
>>> Two security issues have been reported in GnuTLS:
>>>
>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>>>
>>> At this point, I think the best way to proceed would be to:
>>>
>>> 1) release 3.3.24 with the patch for the latter, then;
>>> 2) update to 3.4.15, which involves an ABI break.
>>
>> nettle is also overdue for an update (it's also blocking an update to
>> filezilla); getting that in after 3.3.24 and prior to 3.4 would be best.
>
> Ping?  More vulnerabilities have been announced, so we need to revise
> the above to 3.3.26 and 3.5.9.

Ping 2?

--
Yaakov
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SECURITY] gnutls

Yaakov Selkowitz
On 2017-03-10 16:01, Yaakov Selkowitz wrote:

> On 2017-02-22 12:46, Yaakov Selkowitz wrote:
>> On 2016-09-26 14:13, Yaakov Selkowitz wrote:
>>> On 2016-09-26 02:00, Yaakov Selkowitz wrote:
>>>> Dr. Volker,
>>>>
>>>> Two security issues have been reported in GnuTLS:
>>>>
>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>>>>
>>>> At this point, I think the best way to proceed would be to:
>>>>
>>>> 1) release 3.3.24 with the patch for the latter, then;
>>>> 2) update to 3.4.15, which involves an ABI break.
>>>
>>> nettle is also overdue for an update (it's also blocking an update to
>>> filezilla); getting that in after 3.3.24 and prior to 3.4 would be best.
>>
>> Ping?  More vulnerabilities have been announced, so we need to revise
>> the above to 3.3.26 and 3.5.9.
>
> Ping 2?

Ping 3?

--
Yaakov
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SECURITY] gnutls

Yaakov Selkowitz
On 2017-03-24 14:00, Yaakov Selkowitz wrote:

> On 2017-03-10 16:01, Yaakov Selkowitz wrote:
>> On 2017-02-22 12:46, Yaakov Selkowitz wrote:
>>> On 2016-09-26 14:13, Yaakov Selkowitz wrote:
>>>> On 2016-09-26 02:00, Yaakov Selkowitz wrote:
>>>>> Dr. Volker,
>>>>>
>>>>> Two security issues have been reported in GnuTLS:
>>>>>
>>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
>>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>>>>>
>>>>> At this point, I think the best way to proceed would be to:
>>>>>
>>>>> 1) release 3.3.24 with the patch for the latter, then;
>>>>> 2) update to 3.4.15, which involves an ABI break.
>>>>
>>>> nettle is also overdue for an update (it's also blocking an update to
>>>> filezilla); getting that in after 3.3.24 and prior to 3.4 would be
>>>> best.
>>>
>>> Ping?  More vulnerabilities have been announced, so we need to revise
>>> the above to 3.3.26 and 3.5.9.
>>
>> Ping 2?
>
> Ping 3?

I have uploaded the latest versions of nettle and gnutls to fix these
issues.

--
Yaakov
Loading...