ports/175831: [SECURITY] security/gnutls security update (2.12.23)
Phil Pennock
phil.pennock at globnix.org
Mon Feb 4 14:20:05 UTC 2013
>Number: 175831
>Category: ports
>Synopsis: [SECURITY] security/gnutls security update (2.12.23)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 04 14:20:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Phil Pennock
>Release: n/a
>Organization:
Apcera, Inc.
>Environment:
n/a
>Description:
Announcements on the GnuTLS mailing-lists for releases 2.12.23, 3.0.28 and 3.1.7 of GnuTLS include this item in the list of changes:
** libgnutls: Fixes in record padding parsing to prevent a timing attack.
Issue reported by Kenny Patterson and Nadhem Alfardan.
The change diff shows that it's an attack against CBC modes.
The patches in Ports adjust the library version numbers, which suggest that it's unsafe to just override Ports current version and install anyway, as we'll end up with library .so version discrepancies, so this one needs an update from the Port maintainer
>How-To-Repeat:
Subscribe to GnuTLS mailing-lists, see announcements, pay attention when reading them.
>Fix:
Upgrade to latest release on branch.
Also: gnutls-devel is "2.99.4" which is ... rather dated. That should probably be on either the 3.0 or 3.1 branch.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list