[gnutls-devel] gnutls 3.2.5

Tomas Hoger thoger at redhat.com
Thu Oct 24 10:58:21 CEST 2013


On Thu, 24 Oct 2013 09:57:47 +0200 Nikos Mavrogiannopoulos wrote:

> On 10/24/2013 09:27 AM, Tomas Hoger wrote:
> 
> >> ** libdane: Fixed a buffer overflow in dane_query_tlsa(). This
> >> could be triggered by a DNS server supplying more than 4 DANE
> >> records. Report and fix by Christian Grothoff.
> >
> > This sounds like a security fix rather than just a regular bug fix,
> > but 3.2.5 and 3.1.15 releases were not announced as security
> > updates.  As I can't say I'm familiar with DANE, I wonder if I may
> > be missing some good reason why this isn't or should not be
> > considered a security fix.
> 
>  It is a security fix. There is no different process for them though.
> I should assign a GNUTLS-SA though.

Ok, thank you for quick confirmation.  I understand there's no
different process to produce such updates, tagging them as security can
help downstreams spot such must have fixes.

-- 
Tomas Hoger / Red Hat Security Response Team



More information about the Gnutls-devel mailing list