gnutls package may be vulnerable to CVE-2021-20232

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnutls package may be vulnerable to CVE-2021-20232

From:	Léo Le Bouter
Subject:	gnutls package may be vulnerable to CVE-2021-20232
Date:	Sat, 13 Mar 2021 02:25:14 +0100
User-agent:	Evolution 3.34.2

CVE-2021-20232  12.03.21 20:15
A flaw was found in gnutls. A use after free issue in
client_send_params in lib/ext/pre_shared_key.c may lead to memory
corruption and other potential consequences.

It is not certain whether 3.6.x series are affected as packaged in GNU
Guix. I asked the upstream at <
https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528567535>. Let's
wait for an answer, or then apply/backport this commit (
https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3
) to 3.6.x series.

A rather low impact vulnerability upstream says, but I would be careful
there as an experienced exploit writer could find reliable ways to
exploit it in my opinion.

Let's patch this as soon as possible!

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

gnutls package may be vulnerable to CVE-2021-20232, Léo Le Bouter <=
- Re: gnutls package may be vulnerable to CVE-2021-20232, Mark H Weaver, 2021/03/13
  - Re: gnutls package may be vulnerable to CVE-2021-20232, Léo Le Bouter, 2021/03/13
    - Re: gnutls package may be vulnerable to CVE-2021-20232, zimoun, 2021/03/13

Prev by Date: libupnp package vulnerable to CVE-2021-28302
Next by Date: Re: guix environment --profile with --ad-hoc
Previous by thread: libupnp package vulnerable to CVE-2021-28302
Next by thread: Re: gnutls package may be vulnerable to CVE-2021-20232
Index(es):
- Date
- Thread