[Bug 1630544] Re: CVE-2016-7444 vulnerability
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Mar 22 11:17:05 UTC 2017
The vulnerable code isn't in 2.12.x, so the gnutls26 package isn't
vulnerable.
** Changed in: gnutls26 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1630544
Title:
CVE-2016-7444 vulnerability
Status in gnutls26 package in Ubuntu:
Invalid
Bug description:
From: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444
Vulnerability Summary for CVE-2016-7444
Original release date: 09/27/2016
Last revised: 09/28/2016
Source: US-CERT/NIST
Overview
The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS
before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length
of an OCSP response, which might allow remote attackers to bypass an
intended certificate validation mechanism via vectors involving
trailing bytes left by gnutls_malloc.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444 lists all versions pre 3.4.15 as vulnerable so 26 (2.12) should be assumed to be vulnerable.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7444 lists gnutls28 as vulnerable but does not mention gnutls26.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1630544/+subscriptions
More information about the foundations-bugs
mailing list