'A new flaw has been discovered in the GnuTLS cryptographic library
that ships with several popular Linux distributions and hundreds of
software implementations. According to the bug report, "A malicious
server could use this flaw to send an excessively long session id
value and trigger a buffer overflow in a connecting TLS/SSL client
using GnuTLS, causing it to crash or, possibly, execute arbitrary
code." A patch is currently available, but it will take time for all
of the software maintainers to implement it. A lengthy technical
analysis is available. "There don't appear to be any obvious signs
that an attack is under way, making it possible to exploit the
vulnerability in surreptitious "drive-by" attacks. There are no
reports that the vulnerability is actively being exploited in the
wild."'
-- source: http://linux.slashdot.org/story/14/06/03/1829251
Cheers, Peter
--
Peter Reutemann, Dept. of Computer Science, University of Waikato, NZ
http://www.cms.waikato.ac.nz/~fracpete/ Ph. +64 (7) 858-5174
