[gnutls-devel] GNUTLS-SA-2014-1 / CVE-2014-1959 only affexts 3.[12].x?

mancha mancha1 at hush.com
Sat Feb 15 16:43:14 CET 2014

On Sat, 15 Feb 2014 15:16:55 +0000 "Andreas Metzler" wrote:
>http://www.gnutls.org/security.html#GNUTLS-SA-2014-1 says: "Suman 
>reported a vulnerability that affects the certificate verification
>functions of gnutls 3.1.x and gnutls 3.2.x."
>Is this correct, are 3.0.x and 2.x not affected?
>cu Andreas

Hello. According to my code review the issue is introduced in
2.11.5 when V1 trusted CAs began getting allowed by default.

Feel free to use my backport for 3.0.32:



More information about the Gnutls-devel mailing list