[gnutls-devel] GNUTLS-SA-2017-4 (was: gnutls 3.5.13)

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jun 11 16:27:15 CEST 2017


On Sun, 2017-06-11 at 11:43 +0200, Andreas Metzler wrote:
> On 2017-06-07 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > Hello, 
> >  I've just released gnutls 3.5.13. This is a bug fix release on the
> > 3.5.x branch.
> 
> [...]
> > ** libgnutls: no longer parse the ResponseID field of the status
> > response
> >    TLS extension. The field is not used by GnuTLS nor is made
> > available to
> >    calling applications. That addresses a null pointer dereference
> > on server
> >    side caused by packets containing the ResponseID field. Reported
> >    by Hubert Kario. [GNUTLS-SA-2017-4]
> 
> [...]
> 
> Hello,
> 
> do you know to which versions of GnuTLS this applies? Afaict it seems
> to apply to 3.3.8, too.

Hi,
 It certainly applies to 3.3.x branch; I have not investigated other
versions (though 2.12.x are not vulnerable as this extension is not
supported). There is a patch on the 3.3.x branch for it.

regards,
Nikos




More information about the Gnutls-devel mailing list