[Overview]
[News]
[Download]
[Commercial Support]
[Mailing lists]
[Documentation]
Currently the core GnuTLS team does not have resources to analyse the background and impact of security problems in as much detail as we would want to. However, we do take security seriously. Collecting and publishing information about security incidents in GnuTLS further the goals of the project. So we do want to have useful security advisories.
Our idea is to turn writing security advisory into an open process where everyone can contribute. Everyone is invited to analyse the impact of discovered bugs, and, of course, also to study the code for new bugs.
All serious analysis of bugs will be posted on this page.
If this level of support is inadequate for your needs, customized commercial support can be arranged that better suits your needs.
Send non-public reports to the maintainer. All other reports should be sent to one of the mailing lists.
| Tag | Severity | Information |
|---|---|---|
| GNUTLS-SA-2009-1 CVE-2009-1415 |
Double/invalid free in GnuTLS 2.6.x on certain errors | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6. |
| GNUTLS-SA-2009-2 CVE-2009-1416 |
GnuTLS 2.6.x DSA keys are corrupt | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6. |
| GNUTLS-SA-2009-3 CVE-2009-1417 |
No checking of certificate activation/expiration times | Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: Upgrade to GnuTLS 2.6.6 or later. If you still use the 2.4.x branch or earlier branches, apply the patch. |
| GNUTLS-SA-2008-3 CVE-2008-4989 |
Remote X.509 Trust Chain Validation error | Announcement of v2.6.1 and patch Detailed analysis Announcement of v2.6.2 and updated patch. Announcement of updated patch and 2.6.3 release candidate. Announcement of v2.6.3. Announcement of v2.6.4 and v2.4.3. Recommendation: Upgrade to GnuTLS 2.6.4 or, if you still use the 2.4.x branch, 2.4.3, or later. |
| GNUTLS-SA-2008-2 CVE-2008-2377 |
Local denial of service Server can trigger crash in GnuTLS clients? |
Announcement Detailed analysis and patch Another report that suggest it can be exploited by hostile servers Recommendation: Upgrade to GnuTLS 2.4.1 or apply the patch. |
| GNUTLS-SA-2008-1 CERT-FI announcement CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 |
Remote Denial of Service | Announcement and Patch Updated announcement and Patch Recommendation: Upgrade to GnuTLS 2.2.5 or apply the patch in the second link. |
| GNUTLS-SA-2006-4 CVE-2006-4790 (via NVD) |
False positive in verifying signature | Announcement Updated patch Original report Recommendation: Upgrade to GnuTLS 1.4.4. |
| None | Announcement Bleichenbacher's Crypto 98 paper Recommendation: No action required, see the post where this advisory is essentially withdrawn. |
|
| GNUTLS-SA-2006-2 |
Denial of service? | Details Recommendation: Upgrade to GnuTLS 1.4.2. |
| GNUTLS-SA-2006-1 CVE-2006-0645 |
Denial of service? | Libtasn1 Announcement Recommendation: Upgrade to Libtasn1 0.2.18 and GnuTLS 1.2.10 (stable) or 1.3.4 (experimental). |
| GNUTLS-SA-2005-1 | Denial of service | Announcement Write-up by Éric Leblond Recommendation: Upgrade to GnuTLS 1.0.25 or 1.2.3. |
Please send FSF & GNU inquiries to
<gnu@gnu.org>.
There are also other ways to contact
the FSF.
Please send broken links and other corrections or suggestions to
<bug-gnutls@gnu.org>.
Copyright © 2009 Free Software Foundation, Inc.
Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice, and the copyright notice, are preserved.
Updated: $Date: 2009/06/10 16:54:44 $