[gnutls-devel] Use CVE-2015-6251 for GNUTLS-SA-2015-3.

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Sep 1 16:19:18 CEST 2015

On Tue, Sep 1, 2015 at 8:32 AM, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> Greetings,
> The Security Advisories page below says: "GNUTLS-SA-2015-2 No CVE assigned"
> http://www.gnutls.org/security.html#GNUTLS-SA-2015-1
> Mitre has assigned CVE-2015-6251 for GNUTLS-SA-2015-3:
> http://www.openwall.com/lists/oss-security/2015/08/17/6
> Just wanted to ping you to update the page, not sure though if this is the right mailing list.

Hello Sona,
 This is the right mailing list. Not sure I understand the request.
GNUTLS-SA-2015-3 has CVE-2015-6251 assigned, and I think that this is
visible in the security page. GNUTLS-SA-2015-2 has indeed no CVE
assigned which is also reflected in that page.

> One question,
> Why "CVE-2015-3308 gnutls: use-after-free flaw in CRL distribution points parsing" is not listed in
> the Security Advisories page?

I tend to prioritise advisories for issues that affect the majority of
applications. E.g., if there is a bug which causes a crash in all
gnutls clients, it will get an advisory as soon, for issues that
affect only a small set of applications an advisory may be skipped.
For these issues we rely mostly on 3rd parties' advisories. That's not
ideal, but a compromise due to limited time at the moment.

> (This is of some unknown reason for me still " ** RESERVED **" by Mitre:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3308)

Is that related with the no CVE assigned issue above?


More information about the Gnutls-devel mailing list