Security holes in GnuTLS closed
The new version 2.2.5 of the GnuTLS library closes three vulnerabilities that attackers could exploit to prevent vulnerable systems accepting any more encrypted network connections. The developers have revised version 2.2.4, issued just a few hours beforehand, that also eliminated the holes but contained a new error that could cause connections to break down.
An advisory from the developers of GnuTLS says that one of the holes is a bug that triggers a null-pointer dereference, something that commonly enables the execution of arbitrary malicious code. Whether this occurs with the GnuTLS vulnerability is at the moment still unclear. The three security holes affect all versions before 2.2.4. Besides the new stable release, however, patches are also provided for the older versions 1.2.11, 1.4.5, 1.6.3, 2.0.4 and 2.2.3, which are evidently still in common use.
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
