[Slackware current]: Problem in Aug-30-2013 updates (?)
Pat:
Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13). I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28. However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x? Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address CVE-2013-4143. How come? --mancha |
It appears to be correct. According to this page, the upstream version that fixed this problem is 3.0.28, not 3.0.26.
About xlockmore, i believe it's because there hasn't been any information about this on CVE's website. Quote:
|
Quote:
By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions. On the bright side, not many programs used gnutls until Slackware 14.0. And as far as making a big version jump to fix earlier Slackware releases goes, based on my past experiences with gnutls I'm guessing both runtime and compile issues would be likely to occur. Quote:
|
Quote:
Quote:
--mancha |
Quote:
Compared to OpenSSL, gnutls isn't very maintainable. It's too bad all these licenses can't get along. |
New gnutls updates out for 14.0 and -current.
|
FYI, for the latest version of wireshark to show the decrypted content of SSL traffic (with supplied key), it needs to compile with gnutls in stead of OpenSSL. And it requires a minimum gnutls version of 3.1.10.
Not sure if Slackware could upgrade the gnutls version to the current stable line of 3.1.x. |
Quote:
here it is. gnutls-cve-backports.tar.bz2 contains patchsets for GnuTLS 2.8.4, GnuTLS 2.8.6, and GnuTLS 2.10.5 which address: Code:
GnuTLS 2.8.4 GnuTLS 2.8.6 GnuTLS 2.10.5 Slackware 14.0 & current are already OK. Please take a look at the README first; It contains important info. The signature (gnutls-cve-backports.tar.bz2.sig) was made with this key: PGP: 0x25168EB24F0B22AC 56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC --mancha |
All times are GMT -5. The time now is 11:09 AM. |