Ubuntu
gnutls26 package

CVE-2016-7444 vulnerability

Bug #1630544 reported by Derec
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

From: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444

Vulnerability Summary for CVE-2016-7444
Original release date: 09/27/2016
Last revised: 09/28/2016
Source: US-CERT/NIST
Overview

The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444 lists all versions pre 3.4.15 as vulnerable so 26 (2.12) should be assumed to be vulnerable.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7444 lists gnutls28 as vulnerable but does not mention gnutls26.

Derec (thomas-intapp)
information type: Private Security → Public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The vulnerable code isn't in 2.12.x, so the gnutls26 package isn't vulnerable.

Changed in gnutls26 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.